[Snort-users] Noob question on snort.conf

Erek Adams erek at ...950...
Sun Jun 1 07:22:03 EDT 2003


On Sat, 1 Jun 2002, storm wrote:

> Hi everyone. Need a little help with snort.conf editing.
> i ucommented the line that says:
>
> #You can specify it explicity as:
> #var HOME_NET 10.1.1.0/24
>
> #or use global variable etc etc
>
> and I commented it to:
>
> #var HOME_NET 172.16.0.1/30
>
> Is this all I have to do to set HOME_NET? I notice there were a bunch of
> other things you could comment that were related to HOME_NET. Is what I
> did enough?

You need to find the line that reads:

	var HOME_NET any

and change it to:

	var HOME_NET <your_ip_range>

Where <your_ip_range> is the network you want to watch.  So if that
network was 172.16.0.1/30 it would be:

	var HOME_NET 172.16.0.1/30

Notice there is no # in front of it.  #'s are comments and the parser
ignores any line that starts with a #.

> Also, where it asks you to list the servers on your network like this:
> #var HTTP_SERVERS $HOME_NET

Look at that again.  It actually reads:

	var HTTP_SERVERS $HOME_NET

Again, notice no # at the start of the line.

> Where do I put the ip of the webserver? I suppose where it says
> "HTTP_SERVERS" ?

You could or if your webserver is in your HOME_NET you could just leave it
the way it is.

Be sure and check out the Snort Manual and Snort FAQ.  Quite a bit of
questions like these are answered inside them.  Yes, that means you have
to _READ_ them, since osmosis doesn't work for learning.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list