[Snort-users] snort on a worksation (fc1) <-- router <-- cable-modem <-- internet

Matt Kettler mkettler at ...4108...
Tue May 11 15:55:02 EDT 2004


At 04:52 PM 5/11/2004, steph march wrote:
>I would like to monitor for internet activity
>and not the internal activity, but I'm having
>trouble understanding how to do that with a router.
>(and for sure, activity on the workstation with
>snort, which is, let say, 192.168.1.3)
>
>So it will look like this :
>var HOME_NET [192.168.1.0/24]
>
>but what happen if 192.168.1.1 is the router ?

What about it? Do you honestly expect packets to be addressed to 
192.168.1.1 (other than arps)?

You won't be able to see any internet traffic addressed directly to the 
router, but that would be impossible anyway. Internet traffic to the router 
is going to be addressed to the outside interface address, not the inside 
address, and you'll only be able to see that traffic by tapping inbetween 
the cablemodem and the router.



>and what about the workstation with snort (192.168.1.3) ?

So? Do you want to monitor internet traffic being a

It sounds like you want the following as your HOME_NET and EXTERNAL_NET:

var HOME_NET [192.168.1.0/24]
var EXTERNAL_NET !$HOME_NET


Also be aware if you are using any ethernet switches, or a switch built 
into the router, snort will only see traffic relating to the switch port 
snort is connected to.






More information about the Snort-users mailing list