Re: Modifying Rules Works One Direction, but Not T'Other

[Doug Burks <doug.burks () gmail com>]

Replies inline.

On Sat, Nov 29, 2014 at 3:22 PM, colony.three
<colony.three () protonmail ch> wrote:
> > These variables are not defined in the bash environment and that's why
> your tests are showing up blank. These variables are defined in your
> snort.conf file. Please see /etc/nsm/HOSTNAME-INTERFACE/snort.conf.
>
> In that case the rule-update script can not work correctly.

Why do you say that?

> I noticed /etc/nsm/hex-eth0/snort.conf, but I couldn't find anywhere in the
> documentation nor videos where it says I need to modify that for my network.

Please see Step #1 on the PostInstallation page on our Wiki:
https://code.google.com/p/security-onion/wiki/PostInstallation

> And it doesn't define EXTERNAL_NET correctly anyway;  It sets it to 'any',
> when it should be !$HOME_NET.

Some organizations want/need EXTERNAL_NET to be 'any'.

Also note that Snort's default snort.conf has EXTERNAL_NET set to 'any':
https://labs.snort.org/snort/2970/snort.conf

You can certainly set it to !$HOME_NET if that's what you'd like to do.

> And anyway, I have reason to doubt it is
> noticed by SO.

If HOME_NET and EXTERNAL_NET are defined properly in the correct
snort.conf file, then Snort will read those variables correctly.

> > You should also be able to use our Google Group as a standard mailing
> list just like this Snort mailing list. Send email to
> security-onion () googlegroups com from your existing non-Google email
> account you're using here. You'll receive replies at the same
> non-Google email account. At that point, it's really no different
> than using this Snort mailing list.
>
> I guess that would work to not subscribe, as long as those who reply, do so
> to me directly.  But this email address is still associated with me, and I'm
> interested in G**gle having as little info about me as possible.  I just
> have never trusted them for anything.  If you're not paying for the
> product...  you -are- the product.

This Snort mailing list is public and is therefore indexed by Google,
so there's really not much difference between exposing your email
address to this Snort mailing list or the Security Onion mailing list.



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!