[Snort-users] config binding config questions

Evan Rinaldo evanrin at ...11827...
Fri Jul 26 14:04:55 EDT 2013


We have 2 sniffing interfaces.  One for our LAN and the other for our
DMZ subnet. I would like to utilize config binding instead of starting
two separate instances of snort.  Logically I would also like to
refrain from bonding the interfaces.  I have a few questions about the
configuration.


So if I set up the subnets in the snort.conf file:


config binding: /etc/snort/snort-LAN.conf net 192.168.0.0/24
config binding: /etc/snort/snort-DMZ.conf net 172.16.0.0/21


I understand that the /etc/snort/snort.conf is the catch all
configuration.  And that the subsequent .conf files is where I can
specify separate variables, rules, preprocessors..etc.

Is it best to keep the default HOME_NET as any on the catch all snort.conf?

Would I specify config logdir in each separate .conf file, or is it
best to do this via -l when we run our snort command?  We would like
them to log to their own log file.


What about if we run snort in daemon mode.  The manpage states alerts
are sent to /var/log/snort/alert unless otherwise specified.  With the
config binding in place will it then log to whatever is set in config
logdir?  Will it still use the default?  Or will it use the info in
snort.conf?


This is my first attempt at this so if anyone is running snort in this
config.  I would very much like to see an example snort.conf, and the
other .conf files specified in config binding.


Thanks in advanced.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130726/3e76d724/attachment.html>


More information about the Snort-users mailing list