Snort mailing list archives
Re: Newbie question.
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 09 Aug 2002 16:35:39 -0400
If you really want snort to listen on two interfaces, you'll need to have 2 different copies of snort running, and they'll need different configs. You've also got a bit of a misconception of what EXTERNAL_NET means, so keep reading and correct your snort.conf.
The primary reason they need different configurations is that the HOME_NET for each interface should be its own subnet, and all the addressable IPs that are "downstream" as you head into your network. EXTERNAL_NET should not refer to your own IP addresses at all, but rather should be the set of IP addresses you don't trust.. ie: the rest of the world.
For most setups the only reasonable choices for EXTERNAL_NET are any, or !$HOME_NET. The only time you would ever set EXTERNAL_NET be your own IP's is if you only wanted to detect attacks from your network (ie: you have a public lab and want to detect it being used to attack someone else), or attacks between different nodes inside your own network, but did not care about the world attacking you.
If you're using a NAT type setup, HOME_NET on the eth0 interface should be the real IP(s) that you are NATing against. On the eth1 interface HOME_NET should be all the private IP's you're using (ie: 192.168.1.0/24). If you aren't using address translation, and your inside network consists of all public IPs (rare these days), you can set the HOME_NET of both to be your set of IP addresses.
At 03:27 PM 8/9/2002 -0400, Brian F. Vaughan wrote:
Hello all,I am running snort-1.8.6 on Linux 6.2 (Kernel 2.4.18). I have configured var HOME_NET as my private ip network, and var EXTERNAL_NET as my public ip network. However when I start snort with snort -d -l I see that snort only initializes eth0. How do I get snort to listen on both interfaces (eth0 and eth1).TIA. Brian Vaughan IT Administrator ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie question. Brian F. Vaughan (Aug 09)
- <Possible follow-ups>
- Re: Newbie question. Matt Kettler (Aug 09)