[Snort-users] snort and openbsd
pauljgreene at ...5068...
Sat Jul 20 18:40:04 EDT 2002
I would like to set up an IDS bridge using Snort and OpenBSD (the beginning
stages of a honeypot).
The configuration is a home setup, using a cable modem, with another obsd
box running NAT connected to the cable modem, providing access to the
To test the install of obsd and snort, I first connected the honeypot box
to a hub shared with the NAT box. It was catching and logging alerts just fine.
So then, I reconfigured the honeypot box as a bridge by creating the
following three files:
hostname.xl0 --> media 10BaseT up
hostname.dc0 --> media 10BaseT up
bridgename.bridge0 --> add xl0
I then ran a CAT5 cable from the cable modem to xl0, a crossover cable from
dc0 to the NAT box. The honeypot box seems to work fine as a bridge;
traffic flows from and to the internet just fine from the rest of the
However, snort doesn't appear to be logging anything. I tried running nmap
on an external address, and also went to www.grc.com and ran a port scan
back against my own network, but nothing was logged.
I tried leaving the variables for HOME_NET and EXTERNAL_NET to the default
"any" and "$HOME_NET" respectively, and also tried:
var HOME_NET 192.168.0.0/24
var EXTERNAL_NET !192.168.0.0/24
This is the command I'm using to fire up snort (plagiarized directly from
chapter 1 of the writing rules);
/usr/local/bin/snort -b -A fast -c /usr/local/share/examples/snort/snort.conf
Can anyone help out a snort newbie?
More information about the Snort-users