Snort mailing list archives

Newbie - Rules updates, multiple interfaces, etc.

From: "Mark G. Spencer" <mspencer () evidentdata com>
Date: Sun, 9 May 2004 11:41:22 -0700

Hello all,

I've been away from Snort for a while and just got back into it yesterday.
I'm running Snort on two machines, one Win98 and another WinXP Professional.
The command I run (from the USAGE document) is:

Snort -d -h (IP Address)/24 -l (Path to Log Folder) -c (Path to snort.conf)

This works pretty good - I came in this morning and had almost 150 alerts on
one of the Snort machines.

I'm curious about some things:

1.)  Is there a way to automate rules updates?

2.)  On Win98/2K/XP, can I configure Snort to run on two interfaces, logging
to separate log folders?  Or run two instances of Snort, one for each
interface?  My thought here is having one interface outside the firewall and
one inside.

3.)  I'm not much of a database person and have had difficulty with MySQL in
the past.  For those of you running Snort that are not all that great with
databases, how do you recommend collecting and reviewing the Snort output?

4.)  I asked this when I first tried Snort - how can I enable *all* Snort
rules?  I got an answer (or answers) back that you wouldn't want to do this,
you should tune your rules for the platforms Snort is running in front of.
This doesn't make sense to me from a security perspective - who's to say
through an intrusion, other IT guys, or the curious guy in engineering that
new services will appear on your network you hadn't planned on?  If you have
the processing power, wouldn't you want Snort utilizing the full ruleset?

Thanks in advance for suffering through the newbie questions!

Mark




-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Newbie - Rules updates, multiple interfaces, etc. Mark G. Spencer (May 09)
- <Possible follow-ups>
- Re: Newbie - Rules updates, multiple interfaces, etc. Richard Bejtlich (May 10)