Newbie: Snort Configuration

[Jeff Elkins <jeff () elkins org>]

Hello list,

I searched the FAQ as well as the web discussion boards and didn't see an 
obvious answer to my question.

I'm attempting to configure Snort 1.8.4-beta1 build 91 for use on a small 
seven node LAN. All boxen are running RH7.2. I built Snort from the tarball 
and configure/make/make install seemed to work perfectly.

The Snort box has two ethernet interfaces: eth0 is connected to a Netgear 
FS108 8 port switch (as is the rest of the LAN) and eth1 is connected to an 
Alcatel DSL modem.  The resulting pppoe->ppp0 connection is shared among all 
boxes and a basic ipchains firewall is in place. 

eth0=192.168.0.1
eth1=10.0.0.10
Alcatel switch=10.0.0.138 (factory preset)
ppp0=variable IP

Snort will only initialize itself for eth0 and while portscans within the LAN 
trigger an alert, external ones do not.  I've tried setting HOME_NET to 
10.0.010/24 and 10.0.0.138/24 - plus the $ppp0_ADDRESS and $eth1_ADDRESS 
variables fail with: bad value in variable definition. Make sure you don't 
have a "$" in the var name. Using HOME_NET any also fails to pick up external 
portscans.

Thanks for any assistance.

Jeff Elkins







_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users