[Snort-users] Snort with DHCP
erek at ...950...
Fri May 2 15:25:26 EDT 2003
On Fri, 2 May 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:
> Thanks Erek for your nice explaination. So just to confirm ,if I add the
> below lines
> "var HOME_NET $eth0_ADDRESS" in snort.conf, along with other
> configuration lines and
> "/usr/local/bin/snort -i eth0 -l /var/log/snort/ -d -b -c
> /etc/snort/snort.cond -D -p "
> will meet my requirements that
> "running snort to watch the network traffic destined only to my machine
> and also taking care of the changing IP address
> in DHCP scenario"
> If I am wrong somewhere , please correct me.
Exactly. You can also modify your command line to be a bit 'better'. If
you are logging to binary (unified, pcap, or -b) then -d is a waste of
time. No need since the packets are dumped as a whole. You can also drop
the -p since it doesn't matter. Only use the -p if you need to. Since
you are a single node on a DHCP net, then promisc mode does not matter.
You'll still see broadcasts and ARP requests...
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users