Snort mailing list archives
Newbie needs QuadNIC stealth config advice
From: Jeff Newton <Jeff_Newton () pmc-sierra com>
Date: Wed, 05 Dec 2001 15:59:22 -0800
I'm a little confused how exactly to deploy this sensor. I'm hoping the list can provide me with some advice after I describe what I want to do: Sensor has 5 interfaces, one in-band that I want to use for admin and logging to a db, and 4 out-of-band that I want to use for sniffing. Each one of the 4 out-of-band interfaces will go to a different subnet (duh), some external, some on the DMZ, and some internal. With that said, a few things confuse me: 1) Should I run a seperate instance of snort for each interface? This would allow different rule sets for each interface, correct? I noticed I can run snort -i eth0 -i eth1 -i eth2 ... but I'm not sure each interface using the same snort.conf is a good thing. 2) What should I set my HOME_NET to? Should I list ALL my internal network ranges, excluding DMZs? When I set EXTERNAL_NET to any, does sort read that as any except HOME_NET? I assume these variables are used with rule directions - ie. RPC from an internal net is ok, but RPC from an external net is cause for alert. 3) Any other caveats I should be looking out for running QuadNIC sensor? Thanks in advance for any advice! -- Jeff Newton _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie needs QuadNIC stealth config advice Jeff Newton (Dec 05)