Snort mailing list archives

Re: (no subject)

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 12 Jun 2002 13:01:27 -0700 (PDT)

On Wed, 12 Jun 2002, Richard Houston wrote:

I need some help with setting up snort as a NIDS.

I have version 1.8.3 installed on a RH 6.2 machine attached to 2 stacked


Consider upgrading.  1.8.6 is the most current, with 1.8.7beta6 in the works.
There are lots of little 'gotchas' that were fixed in the 1.8.x line.

3com hubs. If I port scan the snort host I get lots of log messages
related to the  port scan, I all so use typhon to scan the snort host with
a selection of exploits Scan and all seems fine.  I have all messages
going to syslog.
Now here is the issue. If I scan a host other than the snort host, snort
does not log anything.


Yep.  Sounds just like:

        http://www.snort.org/docs/faq.html#6.21

Here is the command I used to start snort.
/usr/sbin/snort -dev -h 10.1.1.0/24 -l /var/log/snort -d -D -i eth0 -c
/etc/snort/snort.conf


If you're running snort as a daemon, then you don't need '-d, -v, -e, and -d'.
-ved tells snort to write to STDOUT and to decode the packts on the fly.  -D
uncouples snort from STDOUT, but due to the other switches, snort is still
trying to decode and print those things--wasting CPU.

[...snip...]

You might also want to check what $HOME_NET and $EXTERNAL_NET are set to.  I
would suggest:
        var HOME_NET 10.1.1.0/24
        var EXTERNAL_NET !$HOME_NET
as a starting point--If they aren't like that already.

Oh, and try to give us a subject line next time.  Somefolks sort email based
on subjects....  And that's the common subject sent to /dev/null.  ;-)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________________________

Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: (no subject), (continued)
- - Re: (no subject) Rich Adamson (May 31)
  - RE: (no subject) John Stroud (May 31)
- RE: (no subject) Wirth, Jeff (May 31)
  - Re: (no subject) Hugo Ferr (May 31)
- (no subject) Eduard San Anselmo (Jun 04)
- RE: (no subject) McCammon, Keith (Jun 04)
- FW: (no subject) ChandlerH (Jun 04)
- RE: (no subject) Richard Silver (Jun 04)
- (no subject) john (Jun 11)
- (no subject) Richard Houston (Jun 12)
  - Re: (no subject) Erek Adams (Jun 12)