[Snort-users] Newbie question.

Matt Kettler mkettler at ...4108...
Fri Aug 9 13:37:01 EDT 2002


If you really want snort to listen on two interfaces, you'll need to have 2 
different copies of snort running, and they'll need different configs. 
You've also got a bit of a misconception of what EXTERNAL_NET means, so 
keep reading and correct your snort.conf.

The primary reason they need different configurations is that the HOME_NET 
for each interface should be its own subnet, and all the addressable IPs 
that are "downstream" as you head into your network. EXTERNAL_NET should 
not refer to your own IP addresses at all, but rather should be the set of 
IP addresses you don't trust.. ie: the rest of the world.

For most setups the only reasonable choices for EXTERNAL_NET are any, or 
!$HOME_NET. The only time you would ever set EXTERNAL_NET be your own IP's 
is if you only wanted to detect attacks from your network (ie: you have a 
public lab and want to detect it being used to attack someone else), or 
attacks between different nodes inside your own network, but did not care 
about the world attacking you.

If you're using a NAT type setup, HOME_NET on the eth0 interface should be 
the real IP(s) that you are NATing against. On the eth1 interface HOME_NET 
should be all the private IP's you're using (ie: 192.168.1.0/24). If you 
aren't using address translation, and your inside network consists of all 
public IPs (rare these days), you can set the HOME_NET of both to be your 
set of IP addresses.


At 03:27 PM 8/9/2002 -0400, Brian F. Vaughan wrote:
>Hello all,
>
>         I am running snort-1.8.6 on Linux 6.2 (Kernel 2.4.18). I have 
> configured var HOME_NET as my private ip network, and var EXTERNAL_NET as 
> my public ip network. However when I start snort with snort -d -l I see 
> that snort only initializes eth0. How do I get snort to listen on both 
> interfaces (eth0 and eth1).
>
>TIA.
>
>Brian Vaughan
>IT Administrator
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list





More information about the Snort-users mailing list