[Snort-users] newbie configuration issues

Paul Greene pauljgreene at ...5068...
Wed Jul 24 06:19:02 EDT 2002


At 10:14 PM 7/23/2002 -0700, John Sage wrote:
>Paul:
>
>On Tue, Jul 23, 2002 at 09:58:01PM -0400, Paul Greene wrote:
> > Hello All;
> >
> > I recently installed Snort on an "IDS bridge" using OpenBSD.
>
>So the "IDS bridge" is a box with -- what? -- two NIC's? Are the NIC's
>assigned IP addresses, or are they address-less?
>
>If this is the case, you may want to check the list archives, and the
>FAQ's 3.1 and 3.2...

Two NICS with no IP addresses. The intention is to make the box invisible 
on the network, and also put it in front of the gateway box running NAT so 
that it sees all incoming traffic, not just the traffic that makes it past 
the gateway/NAT box. As a bridge it seems to work fine; there's no problem 
with traffic getting in and out. I'm basing this on the concept of a 
"bridging firewall", but I don't want to block any traffic at this point; 
so I'm trying to modify the concept to be a "bridging IDS".

>How do you have $HOME_NET and $EXTERNAL_NET set?

These haven't been changed from the default snort.conf file. Frankly I 
wasn't sure what to do with these.

var HOME_NET any
var EXTERNAL_NET $HOME_NET

> > The setup is a cable modem. The "IDS bridge" is between the cable modem 
> and
> > the NAT box (another openbsd box). The NAT box is dynamically assigned an
> > IP address in the 68.48.xxx.xxx range by the cable company. The internal
> > network is a 192.168.0.0/24 network.
>
>If you're getting a dynamically-assigned IP address back on the NAT
>box, /* somehow I'm having a hard time picturing this: the modem and
>the "IDS bridge" are just acting as though they're wire: packets just
>pass through with their IP addresses unexamined? */ how do you account
>for that relative to $HOME_NET?

The ISP changes the IP number about every 4-6 weeks, but I haven't used 
that IP number in any configuration files yet anyway

>Do you have some equivalent to:
>
>var HOME_NET $ppp0_ADDRESS

Just the default listed above. I have to plead ignorance on this point, 
though this is likely where the problem lies.

>- John

Paul






More information about the Snort-users mailing list