[Snort-users] New Snort Configuration

Timothy L. Robertson tlrobertson at ...468...
Sun Sep 17 17:29:22 EDT 2000


Hello Everyone,

I've just installed snort in what I suspect will be an increasingly common
configuration and would like some advice from the list.  I have a FreeBSD
box with 2 NICs which acts as a router between a DSL modem (10.0.0.1) and my
internal network (192.168.1.1/24).  I connect using PPPoE (tun0) to my ISP ,
who dynamically assigns an IP address, and use FreeBSD's nat facility to
translate addresses for the internal network.  I run snort with the command:

snort -Ds -A full -l /var/log/snort -c /usr/local/share/snort/snort-lib -i
tun0

I've modified snort-lib so with
var HOME_NET 192.168.1.1/24
preprocessor portscan-ignorehosts: $DNS_SERVER1 $DNS_SERVER2 $DNS_SERVER3

The first problem is that I'm not sure if it's working.  If a run a portscan
from this webpage:
http://www.cablemodemhelp.com/portscan.htm
I have no alerts generated and no packets logged.  What are some other ways
to test the installation?

Second, I'm sure my $HOME_NET is not correct.  The interface tun0 should
never see packets from the 192.168.1 net because of NAT.  My IP address is
dynamically assigned, however, so I can't just hardcode something in here.
I don't think this is such a big deal, because doesn't this just make the
arrows point the right ways?  Anyway, is there a more correct way of doing
this?

Any comments or suggestions appreciated.

Thanks,
-Tim
timothyr at ...469...




More information about the Snort-users mailing list