[Snort-users] New Snort Configuration

Fyodor fygrave at ...121...
Mon Sep 18 20:13:26 EDT 2000


On Sun, 17 Sep 2000 out of nowhere Timothy L. Robertson spoke:

~ :snort -Ds -A full -l /var/log/snort -c /usr/local/share/snort/snort-lib -i
~ :tun0
~ :
~ :I've modified snort-lib so with
~ :var HOME_NET 192.168.1.1/24

well, it will not be able to reach this network from outside. it is
non-routable subnet. :) 


~ :preprocessor portscan-ignorehosts: $DNS_SERVER1 $DNS_SERVER2 $DNS_SERVER3
~ :
~ :The first problem is that I'm not sure if it's working.  If a run a portscan
~ :from this webpage:
~ :http://www.cablemodemhelp.com/portscan.htm
~ :I have no alerts generated and no packets logged.  What are some other ways
~ :to test the installation?


~ :
~ :Second, I'm sure my $HOME_NET is not correct.  The interface tun0 should
~ :never see packets from the 192.168.1 net because of NAT.  My IP address is
~ :dynamically assigned, however, so I can't just hardcode something in here.

well, I think there was a script posted on the web which allows you to
start snort with dynamic IP address. Basically if you're using pppd, you
can put stuff into ppp_up and ppp_down to restart snort every time with
new ip address, otherwise have a look into scripts/program which you use
to initialize your interface to perform this task :)





More information about the Snort-users mailing list