[Snort-users] (no subject)
blake at ...319...
Mon Apr 9 11:54:55 EDT 2001
Be sure you are telling snort to listen on the correct interface and that
HOME_NET/EXTERNAL_NET are set accordingly. Additionally, you need to
decide what traffic you want to monitor.
0- Your external interface traffic before ingress NAT.
1- Your internal LAN traffic after ingress NAT.
For example, if you are running snort on a NAT box with:
eth0 = 18.104.22.168 (public/external interface)
eth1 = 192.168.2.1 (private/internal interface)
start snort with " -i eth0 "
var HOME_NET 22.214.171.124/32
var EXTERNAL_NET !126.96.36.199/32
start snort with " -i eth1 "
var HOME_NET 192.168.2.0/24 (class c lan)
var EXTERNAL_NET !192.168.2.0/24
Hope this helps.
On Sat, 7 Apr 2001, Phil wrote:
> interface (i.e. the internet). Unforntunately I've
> seen virtually no logs whatsoever when I do see logs
> it's usually a http_decode log, but it's nothing more
> than web browsing from an internal machine out to an
> external machine at port 80.
> I can't quite figure out what I'm doing wrong. Any
> help would be much appreciated. Thanks.
More information about the Snort-users