Menu
▾
▴
[Snort-inline-users] Snort rules conversion and database time stamps logging
|
From: Pawel C. <pc...@ui...> - 2004-03-24 07:28:49
|
I have a question about tftp.rules rule file conversion. When I convert it from snort to snort_inline, the first few alerts are: alert udp any any -> any 69 .... I was wondering if I should leave them like this, or change them to aler udp $HOME_NET any -> any 69 ... Is this matter of preference (allow more or less attacks to be done to your honeypots), or will it create security problems for the honeynet. Also, I used snortconfig to convert the rules, adn some of the rules looked like alert tcp $EXTERNAL_NET any -> $HOME_NET any ... I have converted them to alert tcp $HOME_NET any -> $EXTERNAL_NET any ... since I want to protect computers outsite the Honeynet. Is this just the fact that snortconfig reverses all $_NET entries it sees when using -honeynet option, or should I not touch them. I'm still novice to using the rules and just want to get it right. Thanks for any info By the way, I have fixed the problem with database time stamp logging. I have compiled snort_inline from source code instead of patching the snort. Pawel Czarnota ACM Honeynet Project http://www.cs.uic.edu/~pczarno1 |
