[Snort-users] Noob question on snort.conf
erek at ...950...
Sun Jun 1 07:22:03 EDT 2003
On Sat, 1 Jun 2002, storm wrote:
> Hi everyone. Need a little help with snort.conf editing.
> i ucommented the line that says:
> #You can specify it explicity as:
> #var HOME_NET 10.1.1.0/24
> #or use global variable etc etc
> and I commented it to:
> #var HOME_NET 172.16.0.1/30
> Is this all I have to do to set HOME_NET? I notice there were a bunch of
> other things you could comment that were related to HOME_NET. Is what I
> did enough?
You need to find the line that reads:
var HOME_NET any
and change it to:
var HOME_NET <your_ip_range>
Where <your_ip_range> is the network you want to watch. So if that
network was 172.16.0.1/30 it would be:
var HOME_NET 172.16.0.1/30
Notice there is no # in front of it. #'s are comments and the parser
ignores any line that starts with a #.
> Also, where it asks you to list the servers on your network like this:
> #var HTTP_SERVERS $HOME_NET
Look at that again. It actually reads:
var HTTP_SERVERS $HOME_NET
Again, notice no # at the start of the line.
> Where do I put the ip of the webserver? I suppose where it says
> "HTTP_SERVERS" ?
You could or if your webserver is in your HOME_NET you could just leave it
the way it is.
Be sure and check out the Snort Manual and Snort FAQ. Quite a bit of
questions like these are answered inside them. Yes, that means you have
to _READ_ them, since osmosis doesn't work for learning.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users