Snort mailing list archives

RE: var HOME_NET and rule updates

From: "Noller, Gregory" <Noller2G () kochind com>
Date: Fri, 26 Jul 2002 09:39:40 -0500

--__--__--

Message: 13
From: "Daniel Lopez" <dlopez () tct hut fi>
To: <snort-users () lists sourceforge net>
Date: Fri, 26 Jul 2002 16:31:59 +0300
Subject: [Snort-users] newbie questions about snort.conf

Hello,

I'm a newbie with Snort and I guess you will find the following
questions are basic.
I'm performing some tests on Snort with two LANs. I set the 
HOME_NET and
EXTERNAL_NET variables to these values:

var HOME_NET 10.50.1.0/24
var EXTERNAL_NET !$HOME_NET



===>Just set your var's to any to capture all threats in both directions.
var HOME_NET any
var EXTERNAL_NET any


However, I would like to detect attacks from boths subnets. 
Do you know
if I will be able to detect attacks from both sides (from inside and
outside my home network) with these values or should I set 
them to ANY?

Then, because I am using small LANS for tests, I don't have any SMTP,
HTTP and SQL servers.
Thus, do I have to set the other variables to ANY (HTTP_SERVERS,
SQL_SERVERS,...) or do I have to comment them? (however, if I comment
them, I will have problems with rules, isn't it?)


Just leave them as they are, default.  They will work fine.


Last question [sorry! :( ], I downloaded last version 1.8.7 and the
snort rulesets.
My question is how do I update rules?


By hand.  The hard way.

Once you start customizing the rules to work for you, it gets real hard to
update the rules.
I used to do it by hand, no I use Demarc Puresecure (a commercial product)
and it updates rules automagically.
 
I'm sure there are scripts, freeware products, and favorite ways.  I just
don't have the time.



Greg
Wichita



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: var HOME_NET and rule updates Noller, Gregory (Jul 26)
- RE: RE: var HOME_NET and rule updates Daniel Lopez (Jul 26)
- <Possible follow-ups>
- RE: RE: var HOME_NET and rule updates Noller, Gregory (Jul 26)