RE: Starting SNORT

[Michael Brown <mbrown () pathfire com>]

Welcome newbie :P
 
home_net and external_net are like settings in your firewall home_net =
network segment you trust or your local lan, external_net = internet
connection or network segment you don't trust. this is the one that the
intruders and perps come through.
 
when you populate your trusting local lan information into home_net, snort
somewhat ignores that network to a certain degree. it mainly watch network
traffic coming in through external_net. therefore, all the other variables
like var dns_server $home_net, says to ignore dns traffic coming from my
trusting lan (home_net)
 
Michael
Pathfire
 
-----Original Message-----
From: Remus [mailto:rmocius () auste elnet lt] 
Sent: Friday, October 04, 2002 5:34 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Starting SNORT


Hi folks,
 
I'm newbie in SNORT.
I'm a bit confused about two lines in the snort.conf file
var HOME_NET and var EXTERNAL_NET
What they mean?
For example I have two NICs on my Linux box:
 eth0 connection to my ISP via ADSL
 eth1 my local network
 
How I should use these var HOME_NET and var EXTERNAL_NET if I want snort
instance to be running on eth0?
Is it like this:
var HOME_NET 10.10.10.0/24
var EXTERNAL_NET 193.125.145.6 (here is not my real Ip address)?
 
And does all these 'vars' only for local network?
# List of DNS servers on your network
var DNS_SERVERS $HOME_NET
 
# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
 
# List of web servers on your network
var HTTP_SERVERS $HOME_NET
 
# List of sql servers on your network
var SQL_SERVERS $HOME_NET
 
# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET
 
 
May I put to DNS_SERVERS my external DNS servers therefore I have no
internals?
 
 
Thanks in advance
 
Remus