[Snort-users] var external net

Sean Kiewiet SKiewiet at ...13511...
Sat Oct 15 08:34:44 EDT 2005


I need some help;

I have 4 instances of snort running on a single machine and each
instance monitors a single promisc interface.

interface 3 -> home net ANY
interface 2 -> home net [xxx.xxx.xxx.xxx/24]
interface 1 -> home net [xxx.xxx.xxx.xxx/24]
interface 0 -> home net [xxx.xxx.xxx.xxx/24]

The external net for all interfaces is set to ANY

When I change home net in snort.conf on interface 3 from ANY to
[xxx.xxx.xxx.xxx/28,xxx.xxx.xxx.xxx/29] the sensor doesn't pickup any
more traffic, the log file just sits at 24 bytes.  When set to ANY snort
seems to work just fine, all of the addresses from the two blocks (and
more that I don't care about) are present in the log files.

BTW - all the x's are replaced with actual network addresses, I used
them here to protect the info.

What am I missing?

Sean






More information about the Snort-users mailing list