[Snort-users] (no subject)
erek at ...577...
Wed Jun 12 13:02:04 EDT 2002
On Wed, 12 Jun 2002, Richard Houston wrote:
> I need some help with setting up snort as a NIDS.
> I have version 1.8.3 installed on a RH 6.2 machine attached to 2 stacked
Consider upgrading. 1.8.6 is the most current, with 1.8.7beta6 in the works.
There are lots of little 'gotchas' that were fixed in the 1.8.x line.
> 3com hubs. If I port scan the snort host I get lots of log messages
> related to the port scan, I all so use typhon to scan the snort host with
> a selection of exploits Scan and all seems fine. I have all messages
> going to syslog.
> Now here is the issue. If I scan a host other than the snort host, snort
> does not log anything.
Yep. Sounds just like:
> Here is the command I used to start snort.
> /usr/sbin/snort -dev -h 10.1.1.0/24 -l /var/log/snort -d -D -i eth0 -c
If you're running snort as a daemon, then you don't need '-d, -v, -e, and -d'.
-ved tells snort to write to STDOUT and to decode the packts on the fly. -D
uncouples snort from STDOUT, but due to the other switches, snort is still
trying to decode and print those things--wasting CPU.
You might also want to check what $HOME_NET and $EXTERNAL_NET are set to. I
var HOME_NET 10.1.1.0/24
var EXTERNAL_NET !$HOME_NET
as a starting point--If they aren't like that already.
Oh, and try to give us a subject line next time. Somefolks sort email based
on subjects.... And that's the common subject sent to /dev/null. ;-)
More information about the Snort-users