[ale] A snort newbie question
Jonathan Rickman
jonathan at xcorps.net
Tue Aug 21 19:17:43 EDT 2001
What version of snort are you running??? I've occasionally had
problems with snort getting overwhelmed in promiscuous mode. Try the -p
flag to prevent promisc mode. My gut instinct is that you need to use the
$ethX_ADDRESS variable on both EXTERNAL and INTERNAL, and kick it out of
promiscuous mode. That should fix it.
--
Jonathan Rickman
X Corps Security
http://www.xcorps.net
On Tue, 21 Aug 2001, James CE Johnson wrote:
> I'm having a bit of trouble configuring snort on my firewall/gateway. At
> least, I think I am...
>
> eth0 is my internal interface, eth1 is connected to my cable modem.
>
> In snort.conf I have:
> var HOME_NET 192.168.42.0/24
> var EXTERNAL_NET $eth1_ADDRESS
>
> And I fire up snort thusly:
> snort -Afull -i eth1 -c /etc/snort/snort.conf -D
>
> I then login to a host external to my network and telnet back to my
> webserver. When I throw the default.ida yack at it I don't see anything
> in my snort logs. The only way I can get anything in the snort logs is
> to change both *_NET values to 'any' but then I get alerts about
> legitimate traffic I generate inside my network.
>
> Suggestions?
>
>
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
>
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list