Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Complex network + Multi-interface sensor = trouble

From: Jeff Newton <Jeff_Newton () pmc-sierra com>
Date: Tue, 11 Dec 2001 11:49:50 -0800

I want to monitor multiple subnets (internet, DMZ, internal, etc) with a
single multi-interface sensor and have a few implementation questions:

1)  Is it best/possible to run on all interfaces using a single
snort.conf?  My initial sensor test fired constantly on detected RPC
traffic and I imagine tuning this out, only on specific interfaces will
be a real challenge.

2)  Can EXTERNAL_NET be defined as any not-equal-to HOME_NET?  I suspect
this isn't the default , which is why the RPC rule was firing on
HOME_NET to HOME_NET traffic - the rpc rule fires on any -> HOME_NET.

Any other multi-interface sensor implementation help/suggestions would
be greatly appreciated.

Cheers, 

-- 
Jeff Newton

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: