[Snort-users] Snort rules
chrisv at ...12963...
Tue Feb 8 12:29:53 EST 2005
The truthful answer is this: the rules are set up to meet the needs of *most* users. If the rule doesn't fit your needs, then make a modified copy of it and stick it in your local.rules file.
Don't expect snort to completely match your needs right out of the box. Most of us have spent weeks/months setting up custom rules, thresholds, and the like to make snort work in our environments.
From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at ...3204...ts.sourceforge.net]On Behalf Of sEc nErD
Sent: Tuesday, February 08, 2005 3:17 PM
To: Snort Users Postings
Subject: RE: [Snort-users] Snort rules
I ahve a question for security admins here.
Our client performed an internal port scan using super scan on their internal network.When i say internal network i mean private network LAN.
Our snort sensor didnt catch any of it the whole port scan and aftre doing some diggging i saw the scan.rules file and saw that it is checking all inbound
port scans like $external any-->$Home Network
Now the client is questioning us as to why this should not be checked both ways..he is saying if it is somebody in their network doing a port scan it will go unnoticed.
can anybody answer this?
Do you Yahoo!?
Yahoo! Mail - 250MB free storage. Do <http://us.rd.yahoo.com/evt=29915/*http://info.mail.yahoo.com/mail_250> more. Manage less.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users