Snort mailing list archives

Previous By Date Next
Previous By Thread Next

AW: (Snort-users) Newbie needs QuadNIC stealth config advice

From: <sandro.poppi () wacker com>
Date: Thu, 06 Dec 2001 12:21:00 +0100

Hi Jeff,

maybe http://www.lug-burghausen.org/projects/index.html#snort-stat will help you
where I described such a configuration.

HTH
Sandro


-----Ursprüngliche Nachricht-----
Von: Jeff Newton <Jeff_Newton () pmc-sierra com> at internet
Gesendet: Mittwoch, 5. Dezember 2001 15:59
An: snort-users () lists sourceforge net at Internet
Betreff: [Snort-users] Newbie needs QuadNIC stealth config advice



I'm a little confused how exactly to deploy this sensor.  I'm
hoping the
list can provide me with some advice after I describe what I
want to do:

Sensor has 5 interfaces, one in-band that I want to use for admin and
logging to a db, and 4 out-of-band that I want to use for sniffing.
Each one of the 4 out-of-band interfaces will go to a different subnet
(duh), some external, some on the DMZ, and some internal.

With that said, a few things confuse me:

1)  Should I run a seperate instance of snort for each
interface?  This
would allow different rule sets for each interface, correct?
I noticed
I can run snort -i eth0 -i eth1 -i eth2 ... but I'm not sure each
interface using the same snort.conf is a good thing.

2)  What should I set my HOME_NET to?  Should I list ALL my internal
network ranges, excluding DMZs?  When I set EXTERNAL_NET to any, does
sort read that as any except HOME_NET?  I assume these variables are
used with rule directions - ie. RPC from an internal net is
ok, but RPC
from an external net is cause for alert.

3)  Any other caveats I should be looking out for running QuadNIC
sensor?

Thanks in advance for any advice!

--
Jeff Newton

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: