Re: Snort logging and the home network

[Erek Adams <erek () theadamsfamily net>]

On Wed, 6 Mar 2002, Bill McCarty wrote:

[...snip...]

> Q: What is the relationship between the HOME_NET variable in snort.conf and
> the -h switch on the command line? I hope that, by better understanding
> this, I'll know why my configuration ceased working.

Well...  This might not tell you everything, but it might help:
http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.3

[quote on]

"If you just specify a plain "-l" switch, you may notice that Snort sometimes
uses the address of the remote computer as the directory in which it places
packets, and sometimes it uses the local host address. In order to log
relative to the home network, you need to tell Snort which network is the home
network:

       ./snort -dev -l ./log -h 192.168.1.0/24

This rule tells Snort that you want to print out the data link and TCP/IP
headers as well as application data into the directory ./log, and you want to
log the packets relative to the 192.168.1.0 class C network. All incoming
packets will be recorded into subdirectories of the log directory, with the
directory names being based on the address of the remote (non-192.168.1) host.
Note that if both hosts are on the home network, then they are recorded based
upon the higher of the two's port numbers, or in the case of a tie, the source
address."

[quote off]

[...snip...]

-h is also used in combination with -O to know which addresses to munge on
output.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users