Re: Snort config

[Oki DZ <okidz@bdg.pindad.com>]

John Galt wrote:
> Expect changes when woody freezes: the file you reference is
> snort.debian.conf in testing/unstable...snort.conf is a real snort.conf
> (more in line with the upstream...)

I see.
I've been running on potato (current stable, right?); well, for the
machine that directly connected to the Internet. That creates a lot of
problem. My desktop always use unstable. But I don't think that it'd be
wise to put an unstable machine on the Internet. So that I end up with
different releases. Problem is, sometimes Gnome apps wouldn't be run
remotely (crashed, to be exact; due to the differences in the libs).

> >DEBIAN_SNORT_HOME_NET="192.168.1.x/32"
>                        ^^^^^^^^^^^^^^^^
> Mine shows the routable interface's IP here: is this a munge or your NAT?

The machine runs NAT.
Actually, I want to monitor both NICs.
 
> >DEBIAN_SNORT_OPTIONS=" -i eth0"
>                            ^^^^
> is eth0 your ISP-connected NIC?

No, internal. eth1 is the one that connected to outside.
 
> >DEBIAN_SNORT_STATS_RCPT="root"
>                           ^^^^^
> Change this just on principle: using root to check system email is just
> another thing you can do as a user and not have to be logged in as root so
> much...

Okay.

BTW, the "stable" and "unstable" release names are pretty misleading
(misinterpreting?), right? I believe that those who happen to read
messages on Debian lists (eg: on the archives) would think that there'd
be Debian systems that are bound to crash daily. I think changing
"unstable" to "development" would be nicer in the eye.

Oki