[Snort-users] New Snort Configuration

Blake Frantz blake at ...395...
Sun Sep 17 18:27:33 EDT 2000


Get nmap from www.insecure.org.

-blake

On Sun, 17 Sep 2000, Timothy L. Robertson wrote:

> Hello Everyone,
> 
> I've just installed snort in what I suspect will be an increasingly common
> configuration and would like some advice from the list.  I have a FreeBSD
> box with 2 NICs which acts as a router between a DSL modem (10.0.0.1) and my
> internal network (192.168.1.1/24).  I connect using PPPoE (tun0) to my ISP ,
> who dynamically assigns an IP address, and use FreeBSD's nat facility to
> translate addresses for the internal network.  I run snort with the command:
> 
> snort -Ds -A full -l /var/log/snort -c /usr/local/share/snort/snort-lib -i
> tun0
> 
> I've modified snort-lib so with
> var HOME_NET 192.168.1.1/24
> preprocessor portscan-ignorehosts: $DNS_SERVER1 $DNS_SERVER2 $DNS_SERVER3
> 
> The first problem is that I'm not sure if it's working.  If a run a portscan
> from this webpage:
> http://www.cablemodemhelp.com/portscan.htm
> I have no alerts generated and no packets logged.  What are some other ways
> to test the installation?
> 
> Second, I'm sure my $HOME_NET is not correct.  The interface tun0 should
> never see packets from the 192.168.1 net because of NAT.  My IP address is
> dynamically assigned, however, so I can't just hardcode something in here.
> I don't think this is such a big deal, because doesn't this just make the
> arrows point the right ways?  Anyway, is there a more correct way of doing
> this?
> 
> Any comments or suggestions appreciated.
> 
> Thanks,
> -Tim
> timothyr at ...469...
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 




More information about the Snort-users mailing list