[Snort-users] (no subject)

Erek Adams erek at ...577...
Wed Jun 12 13:02:04 EDT 2002


On Wed, 12 Jun 2002, Richard Houston wrote:

> I need some help with setting up snort as a NIDS.
>
> I have version 1.8.3 installed on a RH 6.2 machine attached to 2 stacked

Consider upgrading.  1.8.6 is the most current, with 1.8.7beta6 in the works.
There are lots of little 'gotchas' that were fixed in the 1.8.x line.

> 3com hubs. If I port scan the snort host I get lots of log messages
> related to the  port scan, I all so use typhon to scan the snort host with
> a selection of exploits Scan and all seems fine.  I have all messages
> going to syslog.
> Now here is the issue. If I scan a host other than the snort host, snort
> does not log anything.

Yep.  Sounds just like:

	http://www.snort.org/docs/faq.html#6.21


> Here is the command I used to start snort.
> /usr/sbin/snort -dev -h 10.1.1.0/24 -l /var/log/snort -d -D -i eth0 -c
> /etc/snort/snort.conf

If you're running snort as a daemon, then you don't need '-d, -v, -e, and -d'.
-ved tells snort to write to STDOUT and to decode the packts on the fly.  -D
uncouples snort from STDOUT, but due to the other switches, snort is still
trying to decode and print those things--wasting CPU.

[...snip...]

You might also want to check what $HOME_NET and $EXTERNAL_NET are set to.  I
would suggest:
	var HOME_NET 10.1.1.0/24
	var EXTERNAL_NET !$HOME_NET
as a starting point--If they aren't like that already.

Oh, and try to give us a subject line next time.  Somefolks sort email based
on subjects....  And that's the common subject sent to /dev/null.  ;-)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list