Snort mailing list archives
Re: Config Question
From: James Jalbert <jjalbert () mail caribouschools org>
Date: Tue, 04 Apr 2006 07:14:35 -0400
Here is the Home_Net protion of my config. I tried to get the error message I recived when I tried this before, but damn if I typed the information in the config again, and this time snort started with no errors. I have not yet chacked BASE to besure that I am getting things, But could you verify that this is the proper context for me.
Thanks for the help # var HOME_NET $eth0_ADDRESS # # You can specify lists of IP addresses for HOME_NET # by separating the IPs with commas like this: # # var HOME_NET [10.1.1.0/24,192.168.1.0/24] # # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! # # or you can specify the variable to be any IP address # like this:var HOME_NET xx.xx.94.0/23,xx.xx.72.0/23,xx.xx.74.128/25,xx.xx.74.0/25,xx.xx.75.0/25,xx.xx.75.128/26,xx.xx75.192/26
James Jalbert, MCP Network Administrator Caribou School Department Phone: 207-493-4246 Cell: 207-551-9764 E-Mail: jjalbert () mail caribouschools org Matt Kettler wrote:
James Jalbert wrote:I am looking to see if it is possible to configure one snort machine for many "Home" networks. I have 7 subnets that are the lan and wan for my location. I tried to configure snort with the var home_net set with the network address, but was unable to run snort after. For security reasons I will not post entire IP's but will post last sections, please tell me if I have done something wrong. Subnets are : xx.xx.94.0/23 xx.xx.72.0/23 xx.xx.74.0/25 xx.xx.74.128/25 xx.xx.75.0/25 xx.xx.75.128/26 xx.xx.75.192/26 Any thoughts or advice would be appreciatedWell, AFAIK, here's nothing intrinsically wrong with the above. However, I'd have to assume you correctly built a home_net declaration that matched the above. Given that you're having trouble running snort, it suggests the above is not correct. Can you post your home_net declaration from your snort.conf? Modified with the same censoring as above is fine, I'm looking for syntactic errors in format, not specific numbers. (Side note: Be aware this censoring of IPs only grants you very little, if any, extra privacy.) Can you post the output that occurs when you start snort manually from the command line? Do this without any "service" or other init scripts. Call snort directly from the command-line with the appropriate parameters, Leave off any -D parameters. For most folks, this would just be snort -c /etc/snort.conf.
------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Config Question James Jalbert (Apr 03)
- Re: Config Question Matt Kettler (Apr 03)
- Re: Config Question Lorine Ruotolo (Apr 03)
- Re: Config Question Matt Kettler (Apr 03)
- Re: Config Question James Jalbert (Apr 04)
- Re: Config Question Frank Knobbe (Apr 04)
- Re: Config Question Lorine Ruotolo (Apr 03)
- RE: Config Question Patrick S. Harper (Apr 03)
- <Possible follow-ups>
- Re: Config Question Carl Brown (Apr 04)
- Re: Config Question Matt Kettler (Apr 03)