Re: Snort config

To: Oki DZ <okidz@bdg.pindad.com>
Cc: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: Snort config
From: John Galt <galt@inconnu.isu.edu>
Date: Thu, 17 May 2001 00:19:34 -0600 (MDT)
Message-id: <[🔎] Pine.LNX.4.32.0105170004500.2066-100000@inconnu.isu.edu>
In-reply-to: <[🔎] 3B023D82.7DB10641@bdg.pindad.com>

On Wed, 16 May 2001, Oki DZ wrote:

>John Galt wrote:
>> Expect changes when woody freezes: the file you reference is
>> snort.debian.conf in testing/unstable...snort.conf is a real snort.conf
>> (more in line with the upstream...)
>
>I see.
>I've been running on potato (current stable, right?); well, for the
>machine that directly connected to the Internet. That creates a lot of
>problem. My desktop always use unstable. But I don't think that it'd be
>wise to put an unstable machine on the Internet. So that I end up with
>different releases. Problem is, sometimes Gnome apps wouldn't be run
>remotely (crashed, to be exact; due to the differences in the libs).

Make sure to keep up with security.debian.org on the stable box...

>> >DEBIAN_SNORT_HOME_NET="192.168.1.x/32"
>>                        ^^^^^^^^^^^^^^^^
>> Mine shows the routable interface's IP here: is this a munge or your NAT?
>
>The machine runs NAT.
>Actually, I want to monitor both NICs.

To get the outside interface, you need to tell it your ISP-assigned IP.
Probably it'd be a good idea to put in a CIDR including all of your
broadcast as well (the number after the slash: I use /24).

>> >DEBIAN_SNORT_OPTIONS=" -i eth0"
>>                            ^^^^
>> is eth0 your ISP-connected NIC?
>
>No, internal. eth1 is the one that connected to outside.

Actually, I forgot you can put more than one interface here.  Go ahead and
prepend eth1 in there:

DEBIAN_SNORT_OPTIONS=" -i eth1 eth0"

>> >DEBIAN_SNORT_STATS_RCPT="root"
>>                           ^^^^^
>> Change this just on principle: using root to check system email is just
>> another thing you can do as a user and not have to be logged in as root so
>> much...
>
>Okay.
>
>BTW, the "stable" and "unstable" release names are pretty misleading
>(misinterpreting?), right? I believe that those who happen to read
>messages on Debian lists (eg: on the archives) would think that there'd
>be Debian systems that are bound to crash daily. I think changing
>"unstable" to "development" would be nicer in the eye.

Bring it up on -policy or -devel...  What can they do, say no and flame
you to death?

>Oki
>
>
>

-- 
<a mailto:galt@inconnu.isu.edu>Who is John Galt?</a>

Failure is not an option. It comes bundled with your Microsoft product.
	-- Ferenc Mantfeld

Reply to:

References:
- Re: Snort config
  - From: Oki DZ <okidz@bdg.pindad.com>

Prev by Date: Re: GRUB
Next by Date: Re: X hangs in mysterious ways
Previous by thread: Re: Snort config
Next by thread: Re: Snort config
Index(es):
- Date
- Thread