RE: Snort rules

["Chris Vaughan" <chrisv () parkavebank com>]

The truthful answer is this: the rules are set up to meet the needs of *most* users. If the rule doesn't fit your 
needs, then make a modified copy of it and stick it in your local.rules file.
 
Don't expect snort to completely match your needs right out of the box. Most of us have spent weeks/months setting up 
custom rules, thresholds, and the like to make snort work in our environments.  
 
Chris Vaughan
 
-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of sEc 
nErD
Sent: Tuesday, February 08, 2005 3:17 PM
To: Snort Users Postings
Subject: RE: [Snort-users] Snort rules
 
I ahve a question for security admins here.
Our client performed an internal port scan using super scan on their internal network.When i say internal network i 
mean private network LAN.
Our snort sensor didnt catch any of it the whole port scan and aftre doing some diggging i saw the scan.rules file and 
saw that it is checking all inbound 
port scans like $external any-->$Home Network 
Now the client is questioning us as to why this should not be checked both ways..he is saying if it is somebody in 
their network doing a port scan it will go unnoticed.
can anybody answer this?
thanks
  _____  

Do you Yahoo!?
Yahoo! Mail - 250MB free storage. Do <http://us.rd.yahoo.com/evt=29915/*http://info.mail.yahoo.com/mail_250>  more. 
Manage less.