[Snort-users] Snort on home DSL connection

Erek Adams erek at ...950...
Thu Dec 25 06:34:01 EST 2003

On Wed, 24 Dec 2003, Bell, Josh wrote:

> Another Snort newb here...
> I've set up a Snort box at home so I can have an 'expendable' box to
> experiment and learn on.  I have an SBC DSL connection.  The DSL line
> runs into my DSL modem, from there to a little hub, and from there to a
> Linksys-type router/firewall, where my machines are connected.  It's a
> PPPoE DSL connection so my IP can and does change rather frequently.
> On my Snort box, eth0 is connected to the 'inside' network with an
> RFC1918 address and eth1 is connected to the hub in promiscuous mode.
> It receives all traffic that hits the hub, the only problem I have is I
> don't know how to set the HOME_NET variable.  I can't use eth0's IP
> because that's just a 192.168 address.  Eth1 has no IP and I don't want
> to statically plug in in there.  Can I use a DNS name?  I have a DYNDNS
> account which in theory is updated regularly and should be the IP of my
> router.  If not, is there some way of telling it to use whatever IP is
> currently assigned to a particular MAC?

Use the 192.158.x.x address as HOME_NET.  After all you're looking to see
what is coming from the internet (var EXTERNAL_NET !$HOME_NET) that's
coming at you (PPPoE).  Since Snort doesn't handle PPPoE that well, you're
better off to listen to the 'inside' interface (192.168.x.x) and see
what's passing "thru" the router/gateway.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

