From owner-freebsd-questions Fri May 11 1:46:53 2001 Delivered-To: freebsd-questions@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-32.dsl.lsan03.pacbell.net [63.207.60.32]) by hub.freebsd.org (Postfix) with ESMTP id 6F72837B422 for ; Fri, 11 May 2001 01:46:50 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 9F97366C04; Fri, 11 May 2001 01:46:49 -0700 (PDT) Date: Fri, 11 May 2001 01:46:49 -0700 From: Kris Kennaway To: Sheldon Hearn Cc: Kris Kennaway , freebsd-questions@freebsd.org Subject: Re: FreeBSD IDS to babysit Microsoft hosts Message-ID: <20010511014649.A19248@xor.obsecurity.org> References: <20010511004209.A18132@xor.obsecurity.org> <73345.989568885@axl.fw.uunet.co.za> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="LQksG6bCIzRHxTLp" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <73345.989568885@axl.fw.uunet.co.za>; from sheldonh@uunet.co.za on Fri, May 11, 2001 at 10:14:45AM +0200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --LQksG6bCIzRHxTLp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 11, 2001 at 10:14:45AM +0200, Sheldon Hearn wrote: >=20 >=20 > On Fri, 11 May 2001 00:42:09 MST, Kris Kennaway wrote: >=20 > > You want snort (in ports) >=20 > Yes!!! >=20 > Kris, thanks so much, this is awesome stuff! >=20 > The port comes with a whole bunch of rules files that end in -lib. The > snort web site has a snortrules.tar.gz in which files end in .rules. I > assume that the rules on the web site should be used in preference over > those that come with the port? Actually the best ruleset I've found is the ArachNIDS set from www.whitehats.com. The rules that come with snort (or on the website) aren't quite so well-organised, although there's lots of good stuff there. You can of course customize them to pick out the good parts. Kris --LQksG6bCIzRHxTLp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6+6b4Wry0BWjoQKURAkd4AJ9vnSDTHZf1Ppk2Bz8V31uxB6xvBACeNGyO MOTc/+SmzK1TO5jSoxtnkp8= =toMX -----END PGP SIGNATURE----- --LQksG6bCIzRHxTLp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message