[Snort-users] Help with config

Rich Adamson radamson at ...2127...
Sun Dec 28 05:53:00 EST 2003


>   With this setup, snort seems unable to log anything at all. I have
>   been to several scanner sites and nothing is logged. What should I
>   set the HOME_NET variable to in this config? (Is it my global IP??)

Home_net should be set to your external network range probably like:
 var HOME_NET 81.174.224.68/30
This assumes your hub is actually on the "outside" edge of your firewall
and your ISP has given you a single registered IP address for the
outside interface of your firewall.

>   Is there any other settings I need to change? 

Not sure since we don't have much of a clue as to what you've already
done. Other considerations include:
 var EXTERNAL_NET !$HOME_NET
 var DNS_SERVERS $HOME_NET	
etc.

>   The interface snort is plugged into on
>   the machine is eth1, which is activated on bootup, and snort states
>   it is listening there in promiscuios mode. It does not have a IP
>   associated with it, the RedHat config tool states this interface is
>   inactive, but I assume that this is as far as Gnome is concerd, and
>   it is active as far as snort is concerd. Am I right?

It's most appropriate to not assume anything. If RH suggests it is 
inactive, it probably is. Activate it; won't hurt.
 
>   I realise that there is no local IP's in this config, as snort is
>   listening before the NAT translation takes place, but at least I
>   will have some idea of what is hitting the firewall.

The "simplest" way to discover whether snort is seeing "any" packets is
to run it from the command line with something like:
 snort -v
(Note: check to doc to see if you need to specify any additional
parameters, such as the "interface" it should listen on, etc.)

Using another machine on your internal network, start a web session or
whatever, with the above command running. If snort can see this traffic
the packets will be displayed on the command line screen in some form. 
If you don't see anything, then the config (or something) is not correct.
If you see only broadcast traffic, then your hub is functioning as
a switch.

If you check the snort archives, you'll find lots of references
over the past couple of years relative to "hub" vs "switch". The bottom
line is that not all devices labeled with "hub" actually function as a
hub; some actually function as a switch. (In many cases, if the snort
sniffing interface is running at 100 meg, as an example, and the 
router interface is running 10 meg, the hub will function as a switch
and you won't see anything other then broadcast traffic. Change all
devices attached to the hub to the exact same speed and it will likely 
start functioning as a hub.)







More information about the Snort-users mailing list