Two Snort-related questions:

["tom porter" <tporter () dtool com>]

I've been lurking on this list for awhile, & I have yet to see answers
to these two questions:
Maybe they are in the faq but I haven't found them.

1. I've been running snort/demarc on a bunch of different FreeBSD boxes
for awhile. And I'm using the fukk default ruleset. Easy question - In
order for snort to work I have to unpack all of the rules into
/usr/local/share/snort. Is this directory definable somewhere? You'd
think it would be in snort.conf - but I don't see where to put it there.

2. Harder - I have several boxes in several dmz's. If I put a snort box
(configured as above w/ full rules)in one of these zones & let it
capture for awhile - then, compare it to the log output of a bsd box
running w/ the log_in_vain options set - the results are dissimilar.
Specifically, the snort sensor does not pick up subseven scans (pretty
frequent). Is this a problem w/ my ruleset?

Thanks, Tom



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users