[Snort-users] (no subject)

Phil foo_bar_00 at ...131...
Sat Apr 7 22:27:31 EDT 2001

Hey all, I sent this question in a while back from a
different address, but for some reason that address
couldn't post to the list. So I'm resending it.

Marty wrote:
> that's providing NAT/forwarding for an internal
> network?  If this is the case, you want to set the >
INTERNAL var to your
> *external* (internet facing) interface address, not 
> the address of your internal machines.  Your
external > interface is the one that's going to
> see the attacks.

This confused me greatly. I'm running my snort on a
gateway as well. I will se attacks on the external
interface (internet facing). Wouldn't everyone. Also,
I don't have INTERNAL and EXTERNAL variables, I have
HOME_NET and EXTERNAL_NET variables. I set HOME_NET to
my internal interface (the NAT'd one, and the one I
want to protect) and EXTERNAL_NET to the external
interface (i.e. the internet). Unforntunately I've
seen virtually no logs whatsoever when I do see logs
it's usually a http_decode log, but it's nothing more
than web browsing from an internal machine out to an
external machine at port 80.

I can't quite figure out what I'm doing wrong. Any
help would be much appreciated. Thanks.


Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 

More information about the Snort-users mailing list