Snort mailing list archives
AW: (Snort-users) Newbie needs QuadNIC stealth config advice
From: <sandro.poppi () wacker com>
Date: Thu, 06 Dec 2001 12:21:00 +0100
Hi Jeff, maybe http://www.lug-burghausen.org/projects/index.html#snort-stat will help you where I described such a configuration. HTH Sandro
-----Ursprüngliche Nachricht----- Von: Jeff Newton <Jeff_Newton () pmc-sierra com> at internet Gesendet: Mittwoch, 5. Dezember 2001 15:59 An: snort-users () lists sourceforge net at Internet Betreff: [Snort-users] Newbie needs QuadNIC stealth config advice I'm a little confused how exactly to deploy this sensor. I'm hoping the list can provide me with some advice after I describe what I want to do: Sensor has 5 interfaces, one in-band that I want to use for admin and logging to a db, and 4 out-of-band that I want to use for sniffing. Each one of the 4 out-of-band interfaces will go to a different subnet (duh), some external, some on the DMZ, and some internal. With that said, a few things confuse me: 1) Should I run a seperate instance of snort for each interface? This would allow different rule sets for each interface, correct? I noticed I can run snort -i eth0 -i eth1 -i eth2 ... but I'm not sure each interface using the same snort.conf is a good thing. 2) What should I set my HOME_NET to? Should I list ALL my internal network ranges, excluding DMZs? When I set EXTERNAL_NET to any, does sort read that as any except HOME_NET? I assume these variables are used with rule directions - ie. RPC from an internal net is ok, but RPC from an external net is cause for alert. 3) Any other caveats I should be looking out for running QuadNIC sensor? Thanks in advance for any advice! -- Jeff Newton _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: (Snort-users) Newbie needs QuadNIC stealth config advice sandro.poppi (Dec 06)