[Dshield] SNORT

Dragos Ruiu dr at kyx.net
Tue Aug 14 09:58:38 GMT 2001

Additional snort suggestions:

snort-users at lists.sourceforge.net is also another good list where many snort
users are available to help out. Many new and breaking issues and signatures 
are discussed there.

There is a new more stable version of snort now in cvs (with a few bugs fixed
that aren't tweaked in the RPM yet), it's the rc2 release candidate for snort
1.8.1, which will likely release tomorrow.  It's probably worth your time to
learn how to get snort from CVS as this is usually the latest and most
sophisticated ruleset and bugfixes/stability. It's safe to say that the RPM lags
the cvs version by as much as a few weeks sometime, so if you want the best
protection, install from source.  Unlike most projects, on snort, -current is
usually the most stable - if past record is any indication.

The distribution includes a good ruleset (Read USAGE, the FAQ and look in
snort.conf) The FAQ has instructions on how to test out your snort amongst
other things... and aswers some questions on where to get rules and how to
merge updates to them etc...


On Mon, 13 Aug 2001, Ed Greshko wrote:
> Hi,
> All of your questions can be answered at www.snort.org.
> Yes, you need a rules file to make SNORT work well...
> Ed
>   -----Original Message-----
>   From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> Behalf Of Mel Chandler PMI
>   Sent: Tuesday, August 14, 2001 01:36
>   To: 'dshield at dshield.org'
>   Subject: [Dshield] SNORT
>   I'm new to Linux and SNORT and was wondering if I could get some tips
> and/or help.  I have installed SNORT v1.8 rpm on Red Hat 7.1, when it
> complained about missing a file, which I believe was the rules file, I just
> supplied it with a blank file.  I'm not sure if there are some sort of rules
> I need to download or if it updates them itself.  I've been seeing a lot of
> activity (80-90% ARP Broadcasts), but so far SNORT reports no activity.  Is
> there a way to test it and ensure it is working ok.  Also, is there some
> where I show get updated rules from?  I kept clicking on links on the
> website for rules, but came to the download page and couldn't find anything.
> Any help would be great.
>   Mel L. Chandler, A+, Network+, MCNE, MCDBA, MCSE+I, CCNA
>   MChandler at PMI.Delta.org
>   Network Analyst
>   Information Services
>   PMI Delta Dental
>   (562) 467-6627
>   =========================
>   = not many animals were harmed in =
>   = ..... the making of this email ........ =
>   =========================

Content-Type: text/html; name="unnamed"
Content-Transfer-Encoding: quoted-printable

Dragos Ruiu <dr at dursec.com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc

More information about the list mailing list