Snort mailing list archives

RE: rules files

From: "Gray . Brendan" <bgray2 () drc com>
Date: Fri, 12 Oct 2001 09:45:49 -0400

I got my snort running with the Arachnids rules file (dated August 21), and
it seems to be doing ok.  I was experimenting with the whitehats rules file,
but it wasn't working for me.  I can get snort to run, but it doesn't log to
the alert file.  The logging section is the same as with Arachnids, it just
won't work.  

I know the Arachnids default setup uses the following preprocessors:

defrag
stream2: timeout 23, ports 21 23 25 80 110 143, maxbytes 16384
telnet_decode
http_decode: 80 2301
rpc_decode: 111
bo: -nobrute
portscan: $INTERNAL 5 5 portscan

and the Snort rules default setup uses the following:

frag2
stream4: detect_scans
stream4: reassemble
http_decode: 80 -unicode -cginull
rpc_decode: 111
bo: -nobrute
telnet_decode
portscan: $HOME_NET 4 3 portscan.log

I do have my variables declared properly for each one<g>.  The output
options for both are the same, nothing configured so it should go to the
alert file.  It does with the Arachnids conf but not the snort conf.
Strange.  I'm wondering if it has to do with the different pre-processor
settings.  Does anyone know?  I'm running it on a RedHat 7.1 box Pentium
166, 48 megs RAM, 2.4.3 kernel and all the latest updates from RedHat.

After viewing results using the arachnids rules/conf I'd like to try the
snort rules/conf to compare the two.  The Snort rules/conf might be more
inclusive.

Brendan Gray

-----Original Message-----
From: Dr SuSE [mailto:drsuse () lizard drsuse org]
Sent: Thursday, October 11, 2001 11:18 PM
To: steve () donegan org; snort-users () lists sourceforge net
Subject: Re: [Snort-users] rules files


Go with the rules from snort.org.  The Arachnids rules havn't been updated
in 
several months.

Which set of rules are 'better' - the ones from the snort website or the
ones from the arachnids database?


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

rules files Steven P. Donegan (Oct 11)
- <Possible follow-ups>
- Re: rules files Dr SuSE (Oct 11)
- RE: rules files Gray . Brendan (Oct 12)