[Snort-users] (no subject)

Blake Frantz blake at ...319...
Mon Apr 9 11:54:55 EDT 2001


Be sure you are telling snort to listen on the correct interface and that
HOME_NET/EXTERNAL_NET are set accordingly.  Additionally, you need to
decide what traffic you want to monitor.
	
	0- Your external interface traffic before ingress NAT.
	1- Your internal LAN traffic after ingress NAT.

For example, if you are running snort on a NAT box with:
	eth0 = 209.173.123.23 (public/external interface)
	eth1 = 192.168.2.1    (private/internal interface)

0-
	start snort with " -i eth0 "
	var HOME_NET 209.173.123.23/32
	var EXTERNAL_NET !209.173.123.23/32

1-
	start snort with " -i eth1 " 
	var HOME_NET 192.168.2.0/24 (class c lan)
	var EXTERNAL_NET !192.168.2.0/24

Hope this helps.

Blake

On Sat, 7 Apr 2001, Phil wrote:

> interface (i.e. the internet). Unforntunately I've
> seen virtually no logs whatsoever when I do see logs
> it's usually a http_decode log, but it's nothing more
> than web browsing from an internal machine out to an
> external machine at port 80.
> 
> I can't quite figure out what I'm doing wrong. Any
> help would be much appreciated. Thanks.
> 
> Phil





More information about the Snort-users mailing list