Snort mailing list archives
Re: A few questions
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 14 Sep 2004 20:08:20 -0400
At 05:36 PM 9/14/2004, Newbie wrote:
I am not on a network, I simply have my PC and router as a home configuration. However I get a lot of false negatives where the error relates to my router. How can I configure HOME_NET to therefore include any IPs that begin with 123.123 etc? Currently it is setup IP/32 what would the new one be?
123.123.0.0/16 (contains 123.123.0.0 through 123.123.255.255) Also for completeness should you need a smaller range at some point: 123.123.123.0/24 (contains 123.123.123.0 through 123.123.123.255)
Secondly, because I am using a home PC/router, I am not sure the flow:to_server is relevant for me. These commands also include major anti-trojan rules which dont seem to therefore work for my PC setup. Can I simply remove these commands if I am not on a server?
Some of them are relevant.. In this context "server" refers to the system which answered a TCP connection request, not something running on a "server" version of windows, etc.
A backdoor installed on your machine could appear as a "server" in this context.
However, if you aren't running any dns servers, webservers, etc, you can, and probably should, trim down which .rules files you are using.
And finally a more simple question, apart from a Snort equivalent with some more graphs, what more security features do all these wiz-bang systems you pay thousands for actually include?
800 number Technical support contracts, known good hardware, preconfigured, prehardened, etc. Some have different approaches to processing packets with various advantages and drawbacks, but at a high-level view they are quite similar.
On some level it's a bit like asking what the difference between a linux box with a good IPTables config and a couple of Nics and a Cisco PIX is. Both serve the same functions, but you can spend a lot of time setting up the linux box to get it right.
Also having a support contract where they can request a replacement unit with 24-hour delivery is reassuring in a business environment where downtime costs, although this is more relevant to routers/firewalls than IDS's.
------------------------------------------------------- This SF.Net email is sponsored by: thawte's Crypto Challenge Vl Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam Camcorder. More prizes in the weekly Lunch Hour Challenge. Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A few questions Newbie (Sep 14)
- Message not available
- Re: A few questions Matt Kettler (Sep 14)
- Message not available