[Snort-users] Snorby usage

Doug Burks doug.burks at ...11827...
Wed Nov 5 17:26:26 EST 2014

Hi Pradeep,

Replies inline.

On Wed, Nov 5, 2014 at 4:51 PM, Pradeep Mocherla <saipradeep7 at ...11827...> wrote:
> Hi, I'm new to snorby. I'm doing a project where I need to create 3 machines
> to be installed in a virtual box. One for attacking, one more for observing
> and other one as a victim. Now I'm using security onion for observing
> attacks, Kali Linux to attack and again linux as a victim. Now I have few
> doubt's regarding usage of snorby in security onion.
> How to set the ids to monitor the victim IP address that is Linux address
> I.e where do I need to change the setting.

Please see:

"If you’re monitoring IP address ranges other than private RFC1918
address space (,,, you should
update your sensor configuration with the correct IP ranges. Sensor
configuration files can be found in /etc/nsm/HOSTNAME-INTERFACE/.
Modify either snort.conf or suricata.yaml (depending on which IDS
engine you chose during sosetup) and update the HOME_NET variable. "

> Second one, how to change the rules to snorby or view the rules in snorby??

Please see:

If you have further questions or problems relating to Security Onion,
please use the security-onion Google Group:

Doug Burks
Need Security Onion Training or Commercial Support?

More information about the Snort-users mailing list