[Snort-users] Newbie question.
mkettler at ...4108...
Fri Aug 9 13:37:01 EDT 2002
If you really want snort to listen on two interfaces, you'll need to have 2
different copies of snort running, and they'll need different configs.
You've also got a bit of a misconception of what EXTERNAL_NET means, so
keep reading and correct your snort.conf.
The primary reason they need different configurations is that the HOME_NET
for each interface should be its own subnet, and all the addressable IPs
that are "downstream" as you head into your network. EXTERNAL_NET should
not refer to your own IP addresses at all, but rather should be the set of
IP addresses you don't trust.. ie: the rest of the world.
For most setups the only reasonable choices for EXTERNAL_NET are any, or
!$HOME_NET. The only time you would ever set EXTERNAL_NET be your own IP's
is if you only wanted to detect attacks from your network (ie: you have a
public lab and want to detect it being used to attack someone else), or
attacks between different nodes inside your own network, but did not care
about the world attacking you.
If you're using a NAT type setup, HOME_NET on the eth0 interface should be
the real IP(s) that you are NATing against. On the eth1 interface HOME_NET
should be all the private IP's you're using (ie: 192.168.1.0/24). If you
aren't using address translation, and your inside network consists of all
public IPs (rare these days), you can set the HOME_NET of both to be your
set of IP addresses.
At 03:27 PM 8/9/2002 -0400, Brian F. Vaughan wrote:
> I am running snort-1.8.6 on Linux 6.2 (Kernel 2.4.18). I have
> configured var HOME_NET as my private ip network, and var EXTERNAL_NET as
> my public ip network. However when I start snort with snort -d -l I see
> that snort only initializes eth0. How do I get snort to listen on both
> interfaces (eth0 and eth1).
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users