[Snort-users] Snort.conf variables

Matt Kettler mkettler at ...4108...
Mon Nov 10 15:07:06 EST 2003


At 11:16 AM 11/10/2003, Remus wrote:
>Just my small confusion regarding HOME_NET and EXTERNAL_NET variables.
>
>I have a Linux firewall which one runs Snort as well:
>
>eth0 - external network
>eth1 - local network
>
>And it has port forwards to web, smtp servers in the local network.
>
>Now my question is which one variables I have to use for my eth0 and eth1?

Given your question, there's no possible answer. And quite frankly, the 
real answer may be "neither".  Snort configuration depends on a lot more 
than just what your router interfaces are.

What interface is snort running on, eth0 or eth1?
Is there address translation going on?
What are HOME_NET and EXTERNAL_NET defined as relative to your network?
Are you looking to pick up inbound attacks, outbound attacks, or both?





More information about the Snort-users mailing list