[Snort-users] trouble specifying more than one HOME_NET variable

James Lay slave_tothe_box at ...131...
Thu Jun 26 09:04:09 EDT 2003


On Thu, 26 Jun 2003 10:44:26 -0500
"Philip Davidson" <Philip at ...8580...> wrote:

> Hello all,
> 
> I am trying to specify my $HOME_NET variable to be two separate internal
> LANs.  
> After making the below change, I tried to start snort back up and it would
> not start.  After issuing a "/etc/init.d/snort start",  my startup script
> tells me that it is up and running.
> But then I issue a "ps -ef|grep snort" and there is no snort.
> Any idears?
> 
> Here is a section of my conf:
> 
> 
> var HOME_NET [192.168.1.0/24,192.168.5.0/24]
> 
> # Set up the external network addresses as well.
> # A good start may be "any"
> 
> var EXTERNAL_NET !$HOME_NET
> 
> # Configure your server lists.  This allows snort to only look for attacks
> # to systems that have a service up.  Why look for HTTP attacks if you are
> # not running a web server?  This allows quick filtering based on IP
> addresses
> # These configurations MUST follow the same configuration scheme as defined
> # above for $HOME_NET.
> 
> # List of DNS servers on your network
> var DNS_SERVERS $HOME_NET
> 
> # List of SMTP servers on your network
> var SMTP_SERVERS $HOME_NET
> 
> # List of web servers on your network
> var HTTP_SERVERS $HOME_NET
> 
> # List of sql servers on your network
> var SQL_SERVERS $HOME_NET
> 
> # List of telnet servers on your network
> var TELNET_SERVERS $HOME_NET
> 
> # Configure your service ports.  This allows snort to look for attacks
> # destined to a specific application only on the ports that application
> # runs on.  For example, if you run a web server on port 8081, set your
> # HTTP_PORTS variable like this:
> #
> # var HTTP_PORTS 8081
> #
> # Port lists must either be continuous [eg 80:8080], or a single port [eg
> 80].
> # We will adding support for a real list of ports in the future.
> 
> # Ports you run web servers on
> var HTTP_PORTS 80
> 
> # Ports you want to look for SHELLCODE on.
> var SHELLCODE_PORTS !80
> 
> # Ports you do oracle attacks on
> var ORACLE_PORTS 1521
> 
> 
> 
> Thanks in advance
> 
> 
> Philip Davidson
> DPC, Inc.
> 1015 Maurice Fields Dr.
> Paris, TN 38242

David,

Run it in a console minus the -D switch so you can see what it dies on.

James




More information about the Snort-users mailing list