[Snort-users] [Summary] New Snort Configuration (FreeBSD 4.1S)

Timothy L. Robertson timothyr at ...469...
Wed Sep 20 13:21:36 EDT 2000


I thought I'd post a little summary reflecting my experiences installing
snort so others who search the mailing list archives can find it.

My home network consists of a DSL modem that is connected to an Ethernet
interface of my FreeBSD 4.1-STABLE box, which acts as firewall and gateway
to my private network on another Ethernet interface.  I connect to my ISP
using PPPoE and the netgraph kernel modules as described at
http://www.freebsd.org/handbook/pppoe.html.  I installed snort by cvsuping
the latest ports tree and doing a make install in /usr/ports/security/snort.
Because my ISP gives me a dynamic IP address, I could not just use snort out
of the box since /usr/local/share/snort/snort-lib requires hardcoding the IP
address into the variable $HOME_NET.  Thanks to Gregor Binder, Vitaly
McLain, and Fyodor for pointing me to a script by Sten Kalenda Apeldoorn on
the snort webpage which rewrites the snort-lib to reflect the dynamically
assigned IP address.  The script assumes a System V style ifconfig and had
to be modified slightly to accommodate Berkeley Unix. (Script attached
below.)  Finally, I saved this script as /etc/snortstart.sh and added the
line
	/bin/sh /etc/snortstart.sh
to /etc/rc.local.  This approach works fine on my system, but may run into
some difficulty on systems where the DHCP server reassigns an IP address
after lease expiration; in that case /etc/ppp/ppp.linkup might be a more
appropriate location.

To test my installation I did portscans from
http://www.cablemodemhelp.com/portscan.htm and HackerWhacker.com and saw
alerts flashed to the console and logged to /var/log/snort.  For more
extensive testing one could install nmap from www.insecure.org as suggested
by Blake Frantz.

Thanks to everyone who helped and Happy Snorting!
-Tim
timothyr at ...469...

-----Begin /etc/snortstart.sh---------------------------------
#!/bin/sh
# address_config.sh -v0.2
# Handy script for laptop users that change their
# IP address frequently. This automates the
# process of updating your Snort rules file.
# You might find his little script can be useful, enjoy...
# Sten Kalenda Apeldoorn The Netherlands
# ------------------ MODIFY HERE ---------------------------------------
IF0=tun0
MASK="32"
SNORTDIR="/usr/local/bin"
SNORTLIBDIR="/usr/local/share/snort"
SNORTLOGDIR="/var/log/snort"
# ------------------ DO NOT CHANGE BELOW -------------------------------
if [ ! -d "$SNORTLIBDIR" ] ; then
   echo Directory $SNORTLIBDIR not found
   exit
fi
cd $SNORTLIBDIR
if [ ! -e "$SNORTLOGDIR" ] ; then
   mkdir $SNORTLOGDIR
   chmod 700 $SNORTLOGDIR
fi
MYIP=`/sbin/ifconfig $IF0 | tail -2 | head -1| awk '{print $2}'`
#MYIP="216.175.89.29"
CHG=s\/10\.1\.1\.0\\/24/$MYIP\\/$MASK/g
cat snort-lib | sed $CHG > snort-lib_run

# This is the line which starts snort.  Change command line options here.
$SNORTDIR/snort -svD -A full -l $SNORTLOGDIR -c
$SNORTLIBDIR/snort-lib_run -i $IF0

-----End /etc/snortstart.sh-----------------------------------




More information about the Snort-users mailing list