[Snort-users] Snort on freebsd 4.6 anyone wanna help!!
erek at ...577...
Sun Jul 7 19:52:03 EDT 2002
On Sun, 7 Jul 2002, red z wrote:
> Got it running on freebsd4.6 but I dont know what to do. The only thing I
> could do was snort -v
> I assume I have to write rules to "filter" out traffic I don't want to see.
> I've read the snort users manual etc..
Great. You've got a working binary! Now you'll need to configure it.
> Where do I start now? What should I edit?
Ummmm... You should _re-read_ the docs. :) It's like Prego--It's in there.
If you can't bring yourself to read a lot, then at least read "USAGE" and the
If you're running 'snort -v' then you've only touched the most basic aspect of
snort (a sniffer). You'll want to read the USAGE and docs to understand how
the other modes work. The other two modes are NIDS (Network Intrusion
Detection System) and packet logger. These other modes are more complex and
require a bit more configuration than the basic sniffer mode.
"Where snort.conf is the name of your rules file. This will apply the rules
set in the snort.conf file to each packet to decide if an action based upon
the rule type in the file should be taken. If you don't specify an output
directory for the program, it will default to /var/log/snort.
One thing to note about the last command line is that if Snort is going to be
used in a long term way as an IDS, the "-v" switch should be left off the
command line for the sake of speed. The screen is a slow place to write data
to, and packets can be dropped while writing to the display."
So to answer your question: snort.conf Snort.conf is well commented and
should be fairly straightforward to configure. HOME_NET is your stuff,
EXTERNAL_NET is not. Best settings for EXTERNAL_NET depend on your network
layout, but basically could be one of two things:
var EXTERNAL_NET !$HOME_NET
var EXTERNAL_NET any
More information about the Snort-users