Snort mailing list archives
Re: Snort logging and the home network
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 6 Mar 2002 12:28:04 -0800 (PST)
On Wed, 6 Mar 2002, Bill McCarty wrote: [...snip...]
Q: What is the relationship between the HOME_NET variable in snort.conf and the -h switch on the command line? I hope that, by better understanding this, I'll know why my configuration ceased working.
Well... This might not tell you everything, but it might help: http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.3 [quote on] "If you just specify a plain "-l" switch, you may notice that Snort sometimes uses the address of the remote computer as the directory in which it places packets, and sometimes it uses the local host address. In order to log relative to the home network, you need to tell Snort which network is the home network: ./snort -dev -l ./log -h 192.168.1.0/24 This rule tells Snort that you want to print out the data link and TCP/IP headers as well as application data into the directory ./log, and you want to log the packets relative to the 192.168.1.0 class C network. All incoming packets will be recorded into subdirectories of the log directory, with the directory names being based on the address of the remote (non-192.168.1) host. Note that if both hosts are on the home network, then they are recorded based upon the higher of the two's port numbers, or in the case of a tie, the source address." [quote off] [...snip...] -h is also used in combination with -O to know which addresses to munge on output. Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort logging and the home network Bill McCarty (Mar 06)
- Re: Snort logging and the home network Erek Adams (Mar 06)
- Re: Snort logging and the home network Bill McCarty (Mar 06)
- <Possible follow-ups>
- RE: Snort logging and the home network McCammon, Keith (Mar 06)
- Re: Snort logging and the home network Erek Adams (Mar 06)