[Snort-users] (no subject)

Phil foo_bar_00 at ...131...
Mon Apr 9 19:30:40 EDT 2001


--- Blake Frantz <blake at ...319...> wrote:
> 
> 
> Be sure you are telling snort to listen on the
> correct interface and that
> HOME_NET/EXTERNAL_NET are set accordingly. 
> Additionally, you need to
> decide what traffic you want to monitor.
> 	
> 	0- Your external interface traffic before ingress
> NAT.
> 	1- Your internal LAN traffic after ingress NAT.
> 
> For example, if you are running snort on a NAT box
> with:
> 	eth0 = 209.173.123.23 (public/external interface)
> 	eth1 = 192.168.2.1    (private/internal interface)
> 
> 0-
> 	start snort with " -i eth0 "
> 	var HOME_NET 209.173.123.23/32
> 	var EXTERNAL_NET !209.173.123.23/32
> 
> 1-
> 	start snort with " -i eth1 " 
> 	var HOME_NET 192.168.2.0/24 (class c lan)
> 	var EXTERNAL_NET !192.168.2.0/24
> 
> Hope this helps.
> 
> Blake

Thanks. My question is, what all is the difference. It
seems like the first catches all attacks while the
second catches either attacks that make it through the
firewall... is that somewhat accurate? Am I missing
something here?

Thanks again.

Phil

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/




More information about the Snort-users mailing list