Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort.conf

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 20 Apr 2004 19:18:35 -0400
At 03:05 PM 4/20/2004, Chuck Holley wrote:
I have snort running, and I am impressed by it. I guess now I am trying to understand the conf. I understand what the variables do sort of. I would like to set variables for my DNS servers, SMTP, and Web. How do I do that exactly???
Um, edit your snort.conf so the DNS_SERVERS, SMTP_SERVERS and HTTP_SERVERS variables to list the IP addresses of the servers you run. These default to HOME_NET, but you can edit them in snort.conf.
What does the external_net mean?? I guess I am looking for a sample conf with explanations of my options and what they mean. I am brand new to IDS, excuse my ignorance.
EXTERNAL_NET is just a variable used by many rules in the ruleset. Most of the default ruleset looks for attacks which come from an IP address in EXTERNAL_NET and go to HOME_NET. Others look for exploit responses going the other way.
In general, EXTERNAL_NET should be set to whatever IP addresses you want to monitor as potential sources of attack. "any" is a good starting point, but !HOME_NET also has it's merits in that you save CPU time by not checking packets generated by your own network as a source of attack.
However, what you want/need to monitor is very dependent on what kind of network you run. For example, if you worked for a university, it might well be that you would reverse the typical meanings of HOME and EXTERNAL and monitor for attacks coming from your computer labs and being launched into the rest of the world. 









-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: