[Snort-users] (no subject)

Phil foo_bar_00 at ...131...
Sat Apr 7 22:27:31 EDT 2001


Hey all, I sent this question in a while back from a
different address, but for some reason that address
couldn't post to the list. So I'm resending it.

Marty wrote:
<snip>
> that's providing NAT/forwarding for an internal
> network?  If this is the case, you want to set the >
INTERNAL var to your
> *external* (internet facing) interface address, not 
> the address of your internal machines.  Your
external > interface is the one that's going to
> see the attacks.
</snip>

This confused me greatly. I'm running my snort on a
gateway as well. I will se attacks on the external
interface (internet facing). Wouldn't everyone. Also,
I don't have INTERNAL and EXTERNAL variables, I have
HOME_NET and EXTERNAL_NET variables. I set HOME_NET to
my internal interface (the NAT'd one, and the one I
want to protect) and EXTERNAL_NET to the external
interface (i.e. the internet). Unforntunately I've
seen virtually no logs whatsoever when I do see logs
it's usually a http_decode log, but it's nothing more
than web browsing from an internal machine out to an
external machine at port 80.

I can't quite figure out what I'm doing wrong. Any
help would be much appreciated. Thanks.

Phil

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/




More information about the Snort-users mailing list