[Snort-users] 3 quick questions

storm storm-shadow at ...5068...
Tue Jun 3 18:44:10 EDT 2003


3 quick questions. 

1. Below is an example of the beginning of my snort.conf. I *attempted* to correctly define the HOME_NET. I noticed one line was set to "HOME_NET any", so I put a # sign in front of it. Was I correct in doing this?? I figured defining HOME_NET once was enough.

2. When I go to edit the SNORT DECODER. Do I simply just uncomment the existing lines? 

3. snort -A fast -c /full/route/to/snort.conf      is the proper way to run in IDS mode with alerting correct?  When I tried this I got an error at the bottom of the screen that said : ERROR: Undefined variable name: (/root/snort-2.0.0/etc/../rules/exploit.rules:21): SMTP_SERVERS        Fatal Error, Quitting..
TIA
Storm


----Beginning of my snort.conf--------
# Step #1: Set the network variables:
#
# You must change the following variables to reflect
# your local network. The variable is currently
# setup for an RFC 1918 address space.
#
# You can specify it explicitly as:
#

 var HOME_NET 172.16.0.1/30

#
# or use global variable $<interfacename>_ADDRESS
# which will be always initialized to IP address and
# netmask of the network interface which you run
# snort at.  Under Windows, this must be specified
# as $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:

# var HOME_NET any    (I put a # sign in front of this one)

# Set up the external network addresses as well.
# A good start may be "any"

var EXTERNAL_NET any

---End of snort.conf----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030603/7c857048/attachment.html>


More information about the Snort-users mailing list