[Snort-users] [Summary] New Snort Configuration (FreeBSD 4.1S)

Timothy L. Robertson timothyr at ...469...
Wed Sep 20 13:21:36 EDT 2000

I thought I'd post a little summary reflecting my experiences installing
snort so others who search the mailing list archives can find it.

My home network consists of a DSL modem that is connected to an Ethernet
interface of my FreeBSD 4.1-STABLE box, which acts as firewall and gateway
to my private network on another Ethernet interface.  I connect to my ISP
using PPPoE and the netgraph kernel modules as described at
http://www.freebsd.org/handbook/pppoe.html.  I installed snort by cvsuping
the latest ports tree and doing a make install in /usr/ports/security/snort.
Because my ISP gives me a dynamic IP address, I could not just use snort out
of the box since /usr/local/share/snort/snort-lib requires hardcoding the IP
address into the variable $HOME_NET.  Thanks to Gregor Binder, Vitaly
McLain, and Fyodor for pointing me to a script by Sten Kalenda Apeldoorn on
the snort webpage which rewrites the snort-lib to reflect the dynamically
assigned IP address.  The script assumes a System V style ifconfig and had
to be modified slightly to accommodate Berkeley Unix. (Script attached
below.)  Finally, I saved this script as /etc/snortstart.sh and added the
	/bin/sh /etc/snortstart.sh
to /etc/rc.local.  This approach works fine on my system, but may run into
some difficulty on systems where the DHCP server reassigns an IP address
after lease expiration; in that case /etc/ppp/ppp.linkup might be a more
appropriate location.

To test my installation I did portscans from
http://www.cablemodemhelp.com/portscan.htm and HackerWhacker.com and saw
alerts flashed to the console and logged to /var/log/snort.  For more
extensive testing one could install nmap from www.insecure.org as suggested
by Blake Frantz.

Thanks to everyone who helped and Happy Snorting!
timothyr at ...469...

-----Begin /etc/snortstart.sh---------------------------------
# address_config.sh -v0.2
# Handy script for laptop users that change their
# IP address frequently. This automates the
# process of updating your Snort rules file.
# You might find his little script can be useful, enjoy...
# Sten Kalenda Apeldoorn The Netherlands
# ------------------ MODIFY HERE ---------------------------------------
# ------------------ DO NOT CHANGE BELOW -------------------------------
if [ ! -d "$SNORTLIBDIR" ] ; then
   echo Directory $SNORTLIBDIR not found
if [ ! -e "$SNORTLOGDIR" ] ; then
   chmod 700 $SNORTLOGDIR
MYIP=`/sbin/ifconfig $IF0 | tail -2 | head -1| awk '{print $2}'`
cat snort-lib | sed $CHG > snort-lib_run

# This is the line which starts snort.  Change command line options here.
$SNORTDIR/snort -svD -A full -l $SNORTLOGDIR -c
$SNORTLIBDIR/snort-lib_run -i $IF0

-----End /etc/snortstart.sh-----------------------------------

More information about the Snort-users mailing list