[Snort-users] newbie configuration issues

Paul Greene pauljgreene at ...5068...
Fri Jul 26 18:26:01 EDT 2002

Through a combination of good suggestions from several people, I got things 
working finally (at least off to a good start).

Just in case the information might be useful to someone else, I'll do a 
compilation of the things that got it going.

Snort had been listening, by default, to the NIC that was facing the 
internal network, and not the NIC that was facing the cable modem. So I 
added the "-i <external NIC>" to the command line. I tried both "i 
<external NIC>" and "-i <bridge0>" but it seemed to work better using the 
external NIC interface.

The "HOME_NET" and "EXTERNAL_NET" variables weren't set right, as several 
people had suggested. So, I ended up using the following:

var HOME_NET [,68.48.xxx.xxx/32]

And the following is the command line I'm using to start up snort in daemon 

"snort -b -A full -i xl0 -c /usr/local/share/examples/snort/snort.conf -D"

(I'm guessing "/usr/local/share/examples/snort" isn't the standard 
directory for snort.conf and the rules files; where would be a better 
directory to put these things?)

Thanks to all who offered suggestions. Since I'm just getting started, I'm 
sure there's going to be many more questions coming!

(Actually one cool thing developed this week in the office. I'd gotten 
started on this thing at home last weekend, then lo and behold, a special 
project came up early in the week where this "stealth IDS" idea seemed like 
a good component to add to the project, and voila, it was assigned to yours 

Paul Greene

At 09:58 PM 7/23/2002 -0400, you wrote:
>Hello All;
>I recently installed Snort on an "IDS bridge" using OpenBSD.
>The setup is a cable modem. The "IDS bridge" is between the cable modem 
>and the NAT box (another openbsd box). The NAT box is dynamically assigned 
>an IP address in the 68.48.xxx.xxx range by the cable company. The 
>internal network is a network.
>The snort.conf file is just a default; nothing changed from the original.
>The only alerts being logged are those going out from the network, and 
>most of those are false alerts (send a 2k size e-mail, and Snort logs an 
>alert as "Attempted Administrator Priviledge Gain" coming from my ISP 
>assigned IP address 68.48.xxx.xxx). No incoming alerts are being logged.
>I know from previous experience that I should be getting script kiddies 
>hitting me 50 times a day, yet no alerts are being generated.
>What should I be looking at to get this "pig" to start squeeling?
>Paul Greene

More information about the Snort-users mailing list