[Snort-users] Snort logging and the home network

Bill McCarty bmccarty at ...5196...
Wed Mar 6 12:02:24 EST 2002


I set up snort several weeks ago. I've tweaked the configuration and rules 
a few times and all has seemed well.

Today, I noticed that snort was no longer consistently producing packet 
logs in the directories named for IP addresses. Snort was logging some 
traffic, generally traffic pertaining to the home network. However, the 
most interesting traffic was not being logged. All the while, Snort 
continued posting alerts and logging everything in tcpdump format.

This looked like a problem with $HOME_NET. So, I inspected snort.conf but 
found no problem. Nevertheless, I restarted snort. However, this didn't 
change the situation.

I checked my startup script and found it did not include the -h option. So, 
as an experiment, I added one specifying the home net, and restarted snort. 
Bingo! I immediately got the logs that had stopped appearing.

Q: What is the relationship between the HOME_NET variable in snort.conf and 
the -h switch on the command line? I hope that, by better understanding 
this, I'll know why my configuration ceased working.

My log shows that I installed snort-mysql+flexresp-1.8.3-5snort on Sunday, 
March 3. My guess is that installing that version over snort-1.8.3-5snort, 
which was installed February 13, may have messed up something despite my 
replacing the original configuration file. Or, perhaps the behavior of the 
two program versions differs with respect to the handling of HOME_NET and 
the -h switch. More likely, I somehow goofed in replacing the configuration 
file, which looks good to me, but isn't....

Thanks!





More information about the Snort-users mailing list