[Snort-users] New Snort Configuration
fygrave at ...121...
Mon Sep 18 20:13:26 EDT 2000
On Sun, 17 Sep 2000 out of nowhere Timothy L. Robertson spoke:
~ :snort -Ds -A full -l /var/log/snort -c /usr/local/share/snort/snort-lib -i
~ :I've modified snort-lib so with
~ :var HOME_NET 192.168.1.1/24
well, it will not be able to reach this network from outside. it is
non-routable subnet. :)
~ :preprocessor portscan-ignorehosts: $DNS_SERVER1 $DNS_SERVER2 $DNS_SERVER3
~ :The first problem is that I'm not sure if it's working. If a run a portscan
~ :from this webpage:
~ :I have no alerts generated and no packets logged. What are some other ways
~ :to test the installation?
~ :Second, I'm sure my $HOME_NET is not correct. The interface tun0 should
~ :never see packets from the 192.168.1 net because of NAT. My IP address is
~ :dynamically assigned, however, so I can't just hardcode something in here.
well, I think there was a script posted on the web which allows you to
start snort with dynamic IP address. Basically if you're using pppd, you
can put stuff into ppp_up and ppp_down to restart snort every time with
new ip address, otherwise have a look into scripts/program which you use
to initialize your interface to perform this task :)
More information about the Snort-users