[Snort-users] newbie configuration issues
pauljgreene at ...5068...
Fri Jul 26 18:26:01 EDT 2002
Through a combination of good suggestions from several people, I got things
working finally (at least off to a good start).
Just in case the information might be useful to someone else, I'll do a
compilation of the things that got it going.
Snort had been listening, by default, to the NIC that was facing the
internal network, and not the NIC that was facing the cable modem. So I
added the "-i <external NIC>" to the command line. I tried both "i
<external NIC>" and "-i <bridge0>" but it seemed to work better using the
external NIC interface.
The "HOME_NET" and "EXTERNAL_NET" variables weren't set right, as several
people had suggested. So, I ended up using the following:
var HOME_NET [192.168.0.0/24,68.48.xxx.xxx/32]
var EXTERNAL_NET !$HOME_NET
And the following is the command line I'm using to start up snort in daemon
"snort -b -A full -i xl0 -c /usr/local/share/examples/snort/snort.conf -D"
(I'm guessing "/usr/local/share/examples/snort" isn't the standard
directory for snort.conf and the rules files; where would be a better
directory to put these things?)
Thanks to all who offered suggestions. Since I'm just getting started, I'm
sure there's going to be many more questions coming!
(Actually one cool thing developed this week in the office. I'd gotten
started on this thing at home last weekend, then lo and behold, a special
project came up early in the week where this "stealth IDS" idea seemed like
a good component to add to the project, and voila, it was assigned to yours
At 09:58 PM 7/23/2002 -0400, you wrote:
>I recently installed Snort on an "IDS bridge" using OpenBSD.
>The setup is a cable modem. The "IDS bridge" is between the cable modem
>and the NAT box (another openbsd box). The NAT box is dynamically assigned
>an IP address in the 68.48.xxx.xxx range by the cable company. The
>internal network is a 192.168.0.0/24 network.
>The snort.conf file is just a default; nothing changed from the original.
>The only alerts being logged are those going out from the network, and
>most of those are false alerts (send a 2k size e-mail, and Snort logs an
>alert as "Attempted Administrator Priviledge Gain" coming from my ISP
>assigned IP address 68.48.xxx.xxx). No incoming alerts are being logged.
>I know from previous experience that I should be getting script kiddies
>hitting me 50 times a day, yet no alerts are being generated.
>What should I be looking at to get this "pig" to start squeeling?
More information about the Snort-users