[Snort-users] Snort with DHCP

Erek Adams erek at ...950...
Fri May 2 15:25:26 EDT 2003

On Fri, 2 May 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:

> Thanks Erek for your nice explaination. So just to confirm ,if I add the
> below lines
> "var HOME_NET $eth0_ADDRESS" in snort.conf, along with other
> configuration lines and
> "/usr/local/bin/snort -i eth0 -l /var/log/snort/ -d -b -c
> /etc/snort/snort.cond -D -p "
> will meet my requirements that
> "running snort to watch the network traffic destined only to my machine
> and also taking care of the changing IP address
> in DHCP scenario"
> If I am wrong somewhere , please correct me.

Exactly.  You can also modify your command line to be a bit 'better'.  If
you are logging to binary (unified, pcap, or -b) then -d is a waste of
time.  No need since the packets are dumped as a whole.  You can also drop
the -p since it doesn't matter.  Only use the -p if you need to.  Since
you are a single node on a DHCP net, then promisc mode does not matter.
You'll still see broadcasts and ARP requests...


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list