PS: Snort Newbie

["Jason Withrow" <jwithrow () mediaone net>]

Ok, I think that is the problem, I need to define the IP's as External
and Internal.
 
I am guessing (Don't laugh, I am pretty new at this) that the $EXTERNAL
var should be my global internet NIC IP and $INTERNAL should be my
intranet 192.168.x.x NIC?
 
Also, how does one make any sense out of the packets? This looks pretty
Greek to me.
 
[**] IDS552/web-iis_IIS ISAPI Overflow ida [**]
09/16-02:55:00.611575 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800
len:0x5EA
66.31.138.68:1198 -> 66.31.82.9:80 TCP TTL:124 TOS:0x0 ID:51642 IpLen:20
DgmLen:1500 DF
***A**** Seq: 0xF79A6595  Ack: 0xF0C2A391  Win: 0x4470  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+
 
- J
 
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jason
Withrow
Sent: Sunday, September 16, 2001 2:52 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort Newbie
 
Hi,  I just installed the 1.8 win32 build of Snort on a win2k Server.
 
I have having a difficult time getting the rule sets to work.
 
I think, that I don't have the rules set up properly. 
Do I need to define $INTERNAL and $EXTERNAL as ip/ports somewhere?
 
This is just for my home box.
 
Here is the sample rule I am trying to get to work.
 
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS552/web-iis_IIS ISAPI
Overflow ida"; dsize: >239; flags: A+; uricontent: ".ida?"; classtype:
system-or-info-attempt; reference: arachnids,552;)
 
Thanks for any help, it is greatly appreciated.
 
- Jwatch