[Snort-users] New Snort Configuration
Timothy L. Robertson
tlrobertson at ...468...
Sun Sep 17 17:29:22 EDT 2000
I've just installed snort in what I suspect will be an increasingly common
configuration and would like some advice from the list. I have a FreeBSD
box with 2 NICs which acts as a router between a DSL modem (10.0.0.1) and my
internal network (192.168.1.1/24). I connect using PPPoE (tun0) to my ISP ,
who dynamically assigns an IP address, and use FreeBSD's nat facility to
translate addresses for the internal network. I run snort with the command:
snort -Ds -A full -l /var/log/snort -c /usr/local/share/snort/snort-lib -i
I've modified snort-lib so with
var HOME_NET 192.168.1.1/24
preprocessor portscan-ignorehosts: $DNS_SERVER1 $DNS_SERVER2 $DNS_SERVER3
The first problem is that I'm not sure if it's working. If a run a portscan
from this webpage:
I have no alerts generated and no packets logged. What are some other ways
to test the installation?
Second, I'm sure my $HOME_NET is not correct. The interface tun0 should
never see packets from the 192.168.1 net because of NAT. My IP address is
dynamically assigned, however, so I can't just hardcode something in here.
I don't think this is such a big deal, because doesn't this just make the
arrows point the right ways? Anyway, is there a more correct way of doing
Any comments or suggestions appreciated.
timothyr at ...469...
More information about the Snort-users