In "Smoothwall Express 2.0 with Fixes 1 through 9" (i.e. the latest release), and Snort 2.4.3 installed, one can run the Bleeding rulesets with the following high sensitivity conf file. Smoothwall Express 2.0 ships with an earlier version of Snort, and you will want to upgrade it. This is easily done using the Snort Update package available at SourceForge's Smoothwall Homebrew Mods project (http://sourceforge.net/projects/smoothiemods/). The hardware tested is a dual processor Abit, ASUS, Dell or Tyan motherboard with two Pentium III 1 Ghz CPUs. One GB of RAM is installed utilizing two matching 512 MB DIMMs. With a weekly reboot, this recon machine will use 400-700 MB of RAM given a varying level of traffic. The Smoothwall designers deviated from the standard Snort setup by placing a partial duplicate config file in a secondary location. Consequently, in order to make all of the Bleeding rules work, you must add a line of code to two files: Enter one line in two files: File 1: in /etc/snort.conf insert a new line in the file: var SSH_PORTS 22 222 File 2: in /var/smoothwall/snort/snort.in insert a new line in the file: var SSH_PORTS 22 222 (in both files this insertion can be placed immediately after the variable definition (usually line 9): "var SHELLCODE_PORTS !80" ). In snort.conf in the section preprocessor sfportscan, change the IP Address in CIDR notation below to match your LAN setup: sense_level { high } watch_ip { xxx.xx.x.x, xxx.xxx.x.x } In snort.conf in the section preprocessor arpspoof_detect_host, insert your host IP address in CIDR notation as well as, your host's MAC address: preprocessor arpspoof_detect_host: xxx.xxx.x.x 00:00:00:00:00:00 In snort.conf and snort.in in the section preprocessor frag3_engine: policy linux specify your Linux LAN in CIDR notation. In snort.conf and snort.in in the section preprocessor frag3_engine: policy first specify your Windows LAN in CIDR notation. Then (if you are editing from a Windows box) use WinSCP3 to very easily copy all of the Bleeding rulesets to the Smoothwall directory: /usr/local/lib/snort/