Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: demarc help requested....

From: SkatFiend () aol com
Date: Fri, 08 Feb 2002 12:34:57 EST
Ok, Im hangin out at home with my sick 5yr old son, so Ill try to give you a hand ;)

Snort, as you probably know needs to read the following files in this order to ititalize correctly.
1) snort.conf file
2) classification.conf file
3) all of the *.rules files

As I understand it Demarc copies the config files into the MySql database, so... here is what you need to do:

1) All config files MUST be done through the Demarc web interface.

2) They must be done in the order that snort needs to read them to initalize correctly. That means, under the 
"Configure" menu button, then the "Configure NIDS Rules",1st cut and paste from your snort.conf text file into a 
ruleset named snort.conf. 2nd cut and paste the contents of the classification.conf into a second ruleset named 
(surprise :) classifcation.conf. 3rd cut and paste the "include" rules lines that are normally at the end of the 
snort.conf into a third ruleset named rules.conf. (Oh, by the way make sure to take the include lines out of the 
snort.conf copies to Demarc.

It is important to build the rulesets in this order as I believe Demarc reads them in the order they were inputed.

Lastly, if you have problems with rule errors you can cut and paste the contents of the classification.conf onto the 
end of the snort.conf in the Demarc interface.

The bottom line is that snort is able to initalize and read the config files in the correct order.

O ya, and the "Validate" option does NOT work for the Win32 version at present. Best bet is to simply look at the DOS 
box when snort is initalized via Demarc and visually check that it started correctly.

Hope this helps,

Clifford Arms
Network Nut - Metrocall, Inc.

Subj:   [Snort-users] demarc help requested.... 
Date:   Thu, 7 Feb 2002 9:44:47 PM Eastern Standard Time 
From:   "Jeff Jennings" <jjennings () zoominternet net> 
To:   <snort-users () lists sourceforge net> 
 
I’m having trouble getting demark to read any rules…

Anyone out there using demark on W2k???

 

Thanks
 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: