Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort.conf and startup variables

From: "Derek \(X-Networks\)" <derek () x-networks net>
Date: Tue, 10 Feb 2004 21:17:43 -0800
If you'll permit me, I have two questions:

1) I've prepared a RedHat 9 system to run Snort 2.1 in IDS mode and when I
type:

snort -dev -c snort.conf

...the output on the screen shows (among other thing) the following:

Decoding Ethernet on interface eth0

..but I do not see any information being written to the screen.

When I type:

snort -dev -c snort.conf -i eth1

...I see plenty of packet details being written to the screen. I am not
entirely familiar with the file structure of Linux but I am sure there is a
missing configuration somewhere in a startup script, that is either
referencing eth0, or not referencing either eth0 or eth1. Where is this
corrected?

2) I have connected my Snort IDS box to a (managed) switch port that is set
up as a SPAN (a.k.a - mirror) port. Eth1 is the Snort interface that is
connected to that port and eth0 is another NIC in the Snort box that is not
connected to anything. Eth1 has an IP address that matches the same subnet
prefix/mask (172.20.0.0/16) as the other devices plugged into the switch,
and eth0 has an IP address of 192.168.168.1/24.

Since this is not an inline IDS, what should the HOME_NET and EXTERNAL_NET
(var) variables be set to? I am currently using:

var HOME_NET 192.168.168.0/24
var EXTERNAL_NET any

The reason I ask this is because I can't determine what the values should be
for:

var DNS_SERVERS
var SMTP_SERVERS
..etc.

My snort.conf file has the value of $HOME_NET prefilled for var DNS_SERVERS,
var SMTP_SERVERS, etc..., but shouldn't that be incorrect since our
company's DNS, SMTP, etc servers all have IP addresses from the
172.20.0.0/16 subnetwork.

Thanks,
Derek




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: