Re: [Snort-users] Help with config

> With this setup, snort seems unable to log anything at all. I have
> been to several scanner sites and nothing is logged. What should I
> set the HOME_NET variable to in this config? (Is it my global IP??)

Home_net should be set to your external network range probably like:
var HOME_NET 81.174.224.68/30
This assumes your hub is actually on the "outside" edge of your firewall
and your ISP has given you a single registered IP address for the
outside interface of your firewall.

> Is there any other settings I need to change?

Not sure since we don't have much of a clue as to what you've already
done. Other considerations include:
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
etc.

> The interface snort is plugged into on
> the machine is eth1, which is activated on bootup, and snort states
> it is listening there in promiscuios mode. It does not have a IP
> associated with it, the RedHat config tool states this interface is
> inactive, but I assume that this is as far as Gnome is concerd, and
> it is active as far as snort is concerd. Am I right?

It's most appropriate to not assume anything. If RH suggests it is
inactive, it probably is. Activate it; won't hurt.

> I realise that there is no local IP's in this config, as snort is
> listening before the NAT translation takes place, but at least I
> will have some idea of what is hitting the firewall.

The "simplest" way to discover whether snort is seeing "any" packets is
to run it from the command line with something like:
snort -v
(Note: check to doc to see if you need to specify any additional
parameters, such as the "interface" it should listen on, etc.)

Using another machine on your internal network, start a web session or
whatever, with the above command running. If snort can see this traffic
the packets will be displayed on the command line screen in some form.
If you don't see anything, then the config (or something) is not correct.
If you see only broadcast traffic, then your hub is functioning as
a switch.

If you check the snort archives, you'll find lots of references
over the past couple of years relative to "hub" vs "switch". The bottom
line is that not all devices labeled with "hub" actually function as a
hub; some actually function as a switch. (In many cases, if the snort
sniffing interface is running at 100 meg, as an example, and the
router interface is running 10 meg, the hub will function as a switch
and you won't see anything other then broadcast traffic. Change all
devices attached to the hub to the exact same speed and it will likely
start functioning as a hub.)





-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users