[Snort-users] configuring snort

Lee Clemens snort at ...13080...
Wed Mar 2 13:58:55 EST 2005


I would recommend var EXTERNAL_NET = !HOME_NET

This will force Snort to consider any IP not included in the subnet (or
list) show as HOME_NET to be considered external and may help stop your
problems. However, I'm not exactly sure what you mean by "logging the local
machine in the alert logs", so it's a little hard to say. Does this mean
it's seeing interactions between your own machines and alerting to it
(obviously you woulnd't want a foreign machine and your own interacting the
way computers on the same network do)?

--Lee

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
jzorzi at ...13110...
Sent: Tuesday, March 01, 2005 10:24 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] configuring snort

I'm trying to set up snort log monitoring and real time alerts.
I've editted the standard snort.conf file.
I've modified the HOME_NET var to the appropriate sets of IP addresses and
left the EXTERNAL_NET to any
 
The thing is that it's logging the local machine in the alert logs.  I'm
guessing the EXTERNAL_NET var is causing this but i don't know what to set
it to.
 
Can anyone give me any insight.  An explanation on how snort uses these
variables would be great too.
 
Thanx in advance for your help
 

Jay Zorzi
Systems Administrator, Information Technology

MarketLink Solutions
see further. achieve more.

e - jzorzi at ...13110...
t - 416.260.2800 x299
f - 416.260.2893 

 






More information about the Snort-users mailing list