[Snort-users] Snort logging and the home network

Erek Adams erek at ...577...
Wed Mar 6 12:42:01 EST 2002


On Wed, 6 Mar 2002, Bill McCarty wrote:

[...snip...]

> Q: What is the relationship between the HOME_NET variable in snort.conf and
> the -h switch on the command line? I hope that, by better understanding
> this, I'll know why my configuration ceased working.

Well...  This might not tell you everything, but it might help:
http://www.snort.org/docs/writing_rules/chap1.html#tth_sEc1.3

[quote on]

"If you just specify a plain "-l" switch, you may notice that Snort sometimes
uses the address of the remote computer as the directory in which it places
packets, and sometimes it uses the local host address. In order to log
relative to the home network, you need to tell Snort which network is the home
network:

       ./snort -dev -l ./log -h 192.168.1.0/24

This rule tells Snort that you want to print out the data link and TCP/IP
headers as well as application data into the directory ./log, and you want to
log the packets relative to the 192.168.1.0 class C network. All incoming
packets will be recorded into subdirectories of the log directory, with the
directory names being based on the address of the remote (non-192.168.1) host.
Note that if both hosts are on the home network, then they are recorded based
upon the higher of the two's port numbers, or in the case of a tie, the source
address."

[quote off]

[...snip...]

-h is also used in combination with -O to know which addresses to munge on
output.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list