[Snort-users] Snort on home DSL connection
erek at ...950...
Thu Dec 25 06:34:01 EST 2003
On Wed, 24 Dec 2003, Bell, Josh wrote:
> Another Snort newb here...
> I've set up a Snort box at home so I can have an 'expendable' box to
> experiment and learn on. I have an SBC DSL connection. The DSL line
> runs into my DSL modem, from there to a little hub, and from there to a
> Linksys-type router/firewall, where my machines are connected. It's a
> PPPoE DSL connection so my IP can and does change rather frequently.
> On my Snort box, eth0 is connected to the 'inside' network with an
> RFC1918 address and eth1 is connected to the hub in promiscuous mode.
> It receives all traffic that hits the hub, the only problem I have is I
> don't know how to set the HOME_NET variable. I can't use eth0's IP
> because that's just a 192.168 address. Eth1 has no IP and I don't want
> to statically plug in in there. Can I use a DNS name? I have a DYNDNS
> account which in theory is updated regularly and should be the IP of my
> router. If not, is there some way of telling it to use whatever IP is
> currently assigned to a particular MAC?
Use the 192.158.x.x address as HOME_NET. After all you're looking to see
what is coming from the internet (var EXTERNAL_NET !$HOME_NET) that's
coming at you (PPPoE). Since Snort doesn't handle PPPoE that well, you're
better off to listen to the 'inside' interface (192.168.x.x) and see
what's passing "thru" the router/gateway.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users