[Snort-users] snort and openbsd

Paul Greene pauljgreene at ...5068...
Sat Jul 20 18:40:04 EDT 2002


I would like to set up an IDS bridge using Snort and OpenBSD (the beginning 
stages of a honeypot).

The configuration is a home setup, using a cable modem,  with another obsd 
box running NAT connected to the cable modem, providing access to the 
internal LAN.

To test the install of obsd and snort, I first connected the honeypot box 
to a hub shared with the NAT box. It was catching and logging alerts just fine.

So then, I reconfigured the honeypot box as a bridge by creating the 
following three files:

hostname.xl0	-->	media 10BaseT up
hostname.dc0 -->	media 10BaseT up
bridgename.bridge0 -->		add xl0
				add dc0
				up

I then ran a CAT5 cable from the cable modem to xl0, a crossover cable from 
dc0 to the NAT box. The honeypot box seems to work fine as a bridge; 
traffic flows from and to the internet just fine from the rest of the 
internal network.

However, snort doesn't appear to be logging anything. I tried running nmap 
on an external address, and also went to www.grc.com and ran a port scan 
back against my own network, but nothing was logged.

I tried leaving the variables for HOME_NET and EXTERNAL_NET to the default 
"any" and "$HOME_NET" respectively, and also tried:

var HOME_NET 192.168.0.0/24
var EXTERNAL_NET !192.168.0.0/24

This is the command I'm using to fire up snort (plagiarized directly from 
chapter 1 of the writing rules);

/usr/local/bin/snort -b -A fast -c /usr/local/share/examples/snort/snort.conf

Can anyone help out a snort newbie?

Paul Greene






More information about the Snort-users mailing list