[Snort-users] Snort logging and the home network
bmccarty at ...5196...
Wed Mar 6 12:02:24 EST 2002
I set up snort several weeks ago. I've tweaked the configuration and rules
a few times and all has seemed well.
Today, I noticed that snort was no longer consistently producing packet
logs in the directories named for IP addresses. Snort was logging some
traffic, generally traffic pertaining to the home network. However, the
most interesting traffic was not being logged. All the while, Snort
continued posting alerts and logging everything in tcpdump format.
This looked like a problem with $HOME_NET. So, I inspected snort.conf but
found no problem. Nevertheless, I restarted snort. However, this didn't
change the situation.
I checked my startup script and found it did not include the -h option. So,
as an experiment, I added one specifying the home net, and restarted snort.
Bingo! I immediately got the logs that had stopped appearing.
Q: What is the relationship between the HOME_NET variable in snort.conf and
the -h switch on the command line? I hope that, by better understanding
this, I'll know why my configuration ceased working.
My log shows that I installed snort-mysql+flexresp-1.8.3-5snort on Sunday,
March 3. My guess is that installing that version over snort-1.8.3-5snort,
which was installed February 13, may have messed up something despite my
replacing the original configuration file. Or, perhaps the behavior of the
two program versions differs with respect to the handling of HOME_NET and
the -h switch. More likely, I somehow goofed in replacing the configuration
file, which looks good to me, but isn't....
More information about the Snort-users