Поставил snort
Настроил snort.config, закинул правила...
ради интереса глянул в /var/log/snort/
И что вижу. Файл snort.log на 26 мегабайт....

Так и должно быть? Или настроил неправильно, что ложные атаки стали фиксироваться?

кинь кусок лога хотяб

################################################## #
# Step #1: Set the network variables:
#
# You must change the following variables to reflect your local network. The
# variable is currently setup for an RFC 1918 address space.
#
# You can specify it explicitly as:
#
# var HOME_NET 62.16.****.*** #адрес моего VDS
#
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which you run
# snort at. Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $ eth0
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:

var HOME_NET any

# Set up the external network addresses as well. A good start may be "any"
var EXTERNAL_NET !$HOME_NET # прочитал, для уменьшения ложных атак, надо прописывать !$HOME_NE

# Configure your server lists. This allows snort to only look for attacks to
# systems that have a service up. Why look for HTTP attacks if you are not
# running a web server? This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.

# List of DNS servers on your network
var DNS_SERVERS $HOME_NET

# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET

# List of web servers on your network
var HTTP_SERVERS $HOME_NET

# List of sql servers on your network
var SQL_SERVERS $HOME_NET

# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET

# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET

# Configure your service ports. This allows snort to look for attacks destined
# to a specific application only on the ports that application runs on. For
# example, if you run a web server on port 8081, set your HTTP_PORTS variable
# like this:
#
# portvar HTTP_PORTS 8081
#
# Ports you run web servers on
portvar HTTP_PORTS 80

# NOTE: If you wish to define multiple HTTP ports, use the portvar
# syntax to represent lists of ports and port ranges. Examples:
## portvar HTTP_PORTS [80,8080]
## portvar HTTP_PORTS [80,8000:8080]
# And only include the rule that uses $HTTP_PORTS once.
#
# The pre-2.8.0 approach of redefining the variable to a different port and
# including the rules file twice is obsolete. See README.variables for more
# details.

# Ports you want to look for SHELLCODE on.
portvar SHELLCODE_PORTS !80

# Ports you might see oracle attacks on
portvar ORACLE_PORTS 1521

# other variables
#
# AIM servers. AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of servers.
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH /etc/snort
var PREPROC_RULE_PATH ../preproc_rules # папка preproc_rules должна находится в /etc/preproc_rules ??

http://blog.tenablesecurity.com/files/snort-var.audit

Это 1/10 часть.

http://blog.tenablesecurity.com/files/snort-var.audit

И что это дает? Как его вообще использовать? Как perl файл? пробовал. Выводит:
(Missing semicolon on previous line?)
Bareword found where operator expected at 1.pl line 126, near "description : "Check if var RULE_PATH entry in /etc"
(Might be a runaway multi-line // string starting on line 121)
(Do you need to predeclare description?)
String found where operator expected at 1.pl line 128, near "regex : " "
(Might be a runaway multi-line "" string starting on line 127)
(Missing semicolon on previous line?)
Bareword found where operator expected at 1.pl line 128, near "regex : " var"

И ничего больше.