Snort mailing list archives
Re: snort.conf and startup variables
From: Erek Adams <erek () snort org>
Date: Wed, 11 Feb 2004 10:16:52 -0500 (EST)
On Tue, 10 Feb 2004, Derek (X-Networks) wrote:
If you'll permit me, I have two questions: 1) I've prepared a RedHat 9 system to run Snort 2.1 in IDS mode and when I type: snort -dev -c snort.conf ...the output on the screen shows (among other thing) the following: Decoding Ethernet on interface eth0 ..but I do not see any information being written to the screen. When I type: snort -dev -c snort.conf -i eth1 ...I see plenty of packet details being written to the screen. I am not entirely familiar with the file structure of Linux but I am sure there is a missing configuration somewhere in a startup script, that is either referencing eth0, or not referencing either eth0 or eth1. Where is this corrected?
Snort defaults to the 'first' NIC on the box. In your case, that's eth0.
From what you say below, you really want eth1. Simply add -i eth1 to your
startup script.
2) I have connected my Snort IDS box to a (managed) switch port that is set up as a SPAN (a.k.a - mirror) port. Eth1 is the Snort interface that is connected to that port and eth0 is another NIC in the Snort box that is not connected to anything. Eth1 has an IP address that matches the same subnet prefix/mask (172.20.0.0/16) as the other devices plugged into the switch, and eth0 has an IP address of 192.168.168.1/24. Since this is not an inline IDS, what should the HOME_NET and EXTERNAL_NET (var) variables be set to? I am currently using: var HOME_NET 192.168.168.0/24 var EXTERNAL_NET any
Check the FAQ [0]--3.3, 3.4 and 3.5. The short answer really boils down to this: HOME_NET should be what you want to watch. In this case, 172.20.0.0/16. EXTERNAL_NET could be set to 'everything else'. !$HOME_NET for example. Cheers! ----- Erek Adams "It looks just like a Telefunken U-47. You'll love it..." -- Frank Zappa [0] http://www.snort.org/docs/FAQ.txt ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort.conf and startup variables Derek (X-Networks) (Feb 10)
- Re: snort.conf and startup variables Erek Adams (Feb 11)