[Snort-users] please help with solaris problem

Martin Roesch roesch at ...421...
Wed Nov 8 17:40:10 EST 2000


loki at ...765... wrote:
> 
> Attn fellow snorters--
> 
> Need help with the following problem. Maybe someone can clarify for me..
> I have a Solaris machine with 2 interfaces on it.
> 
> hme0 => 192.168.X.X
> hme1 => 0.0.0.0 (actual ip)
> 
> I have installed snort to replace what is currently being used, ISS
> RealSecure. RealSecure was binding to hme1 (0.0.0.0), which this interface
> is in promisc. mode. In my snort-lib file, I am specifying for my home_net
> to be 0.0.0.0/24  .... is this correct?

Nope, you want to set the HOME_NET variable to the address/network to be
monitored.  Even though you've got a stealthed interface, you really want to
see the traffic that's bound for your network.  So, if the network you're
defending is 172.16.10.0/24, you should set the HOME_NET accordingly.

> I am (NOT) receiving ANY logs from traffic over the wire. This solaris box
> is on its own hub off of the firewall on its own network away from the
> DMZ. I can't go into detail on the topology by know that RealSecure was
> able to capture all traffic from hme1 completely fine. Can someone please
> shoot me over what I need to do, whether it be assigning any ip to this
> interface, changing my home_net.. anything, please advise.

You should check to see if Snort is capable of seeing packets on the hme0
interface by running it in sniffer mode with "snort -dv -i hme0".  If you can
see packets, then you just need to set the HOME_NET to reflect the network
you're monitoring.

     -Marty

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list