[Snort-users] Modifying Rules Works One Direction, but Not T'Other

Doug Burks doug.burks at ...11827...
Sat Nov 29 15:33:28 EST 2014


Replies inline.

On Sat, Nov 29, 2014 at 3:22 PM, colony.three
<colony.three at ...17037...> wrote:
>> These variables are not defined in the bash environment and that's why
> your tests are showing up blank. These variables are defined in your
> snort.conf file. Please see /etc/nsm/HOSTNAME-INTERFACE/snort.conf.
>
> In that case the rule-update script can not work correctly.

Why do you say that?

> I noticed /etc/nsm/hex-eth0/snort.conf, but I couldn't find anywhere in the
> documentation nor videos where it says I need to modify that for my network.

Please see Step #1 on the PostInstallation page on our Wiki:
https://code.google.com/p/security-onion/wiki/PostInstallation

> And it doesn't define EXTERNAL_NET correctly anyway;  It sets it to 'any',
> when it should be !$HOME_NET.

Some organizations want/need EXTERNAL_NET to be 'any'.

Also note that Snort's default snort.conf has EXTERNAL_NET set to 'any':
https://labs.snort.org/snort/2970/snort.conf

You can certainly set it to !$HOME_NET if that's what you'd like to do.

> And anyway, I have reason to doubt it is
> noticed by SO.

If HOME_NET and EXTERNAL_NET are defined properly in the correct
snort.conf file, then Snort will read those variables correctly.

>>You should also be able to use our Google Group as a standard mailing
> list just like this Snort mailing list. Send email to
> security-onion at ...14071... from your existing non-Google email
> account you're using here. You'll receive replies at the same
> non-Google email account. At that point, it's really no different
> than using this Snort mailing list.
>
> I guess that would work to not subscribe, as long as those who reply, do so
> to me directly.  But this email address is still associated with me, and I'm
> interested in G**gle having as little info about me as possible.  I just
> have never trusted them for anything.  If you're not paying for the
> product...  you -are- the product.

This Snort mailing list is public and is therefore indexed by Google,
so there's really not much difference between exposing your email
address to this Snort mailing list or the Security Onion mailing list.



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!




More information about the Snort-users mailing list