first they have a "HOME_NET" variable. what exactly is this variable? does it set the network for the nic that will be the sensor, or the network that the houses the nic you will use to administer the IDS?
It's the snort.conf variable that tells Snort how to make the difference between what's local and what's remote. If you check the Snort rules, you'll see lines something like "alert ANY ANY -> HOME_NET tcp 80" which would tell Snort to trip on anything from a remote location to the local port 80. If you're using this on a single box setup set it to the public IP address the NIC listens on.
then they have another variable in the startup script, S99snort that i was told to copy to /etc/init.d/snort. "IFACE" what does this variable do, again does it assign the control nic or the sensor nic?
Other way around. The initscript lives in /etc/init.d and is symlinked manually or with chksysconf in the runlevels it should start/stop in. I don't know the script (post link?) but "IFACE" usually will mean the interface Snort should listen on.
when i try to manaually run snort my typing "snort -i eth3" after i place eth3 in promisc mode, i get the following error:
<...snip...>
Uh, you need to tell me to do something...
: No such file or directory
Post a link to the script.
Why don't you try psad? it's a more simple IDS like snort.
Snort and PSAD are not alike.
PSAD is a portscan detector, like portsentry, ippl etc etc.
Snort is an IDS, like Predule, Firestorm, Pakemon etc etc.
Check out the
LQ FAQ: Security references, look for "Snort vs portsentry" if you want to read about differences.
