[Snort-users] snort on a worksation (fc1) <-- router <-- cable-modem <-- internet
mkettler at ...4108...
Tue May 11 15:55:02 EDT 2004
At 04:52 PM 5/11/2004, steph march wrote:
>I would like to monitor for internet activity
>and not the internal activity, but I'm having
>trouble understanding how to do that with a router.
>(and for sure, activity on the workstation with
>snort, which is, let say, 192.168.1.3)
>So it will look like this :
>var HOME_NET [192.168.1.0/24]
>but what happen if 192.168.1.1 is the router ?
What about it? Do you honestly expect packets to be addressed to
192.168.1.1 (other than arps)?
You won't be able to see any internet traffic addressed directly to the
router, but that would be impossible anyway. Internet traffic to the router
is going to be addressed to the outside interface address, not the inside
address, and you'll only be able to see that traffic by tapping inbetween
the cablemodem and the router.
>and what about the workstation with snort (192.168.1.3) ?
So? Do you want to monitor internet traffic being a
It sounds like you want the following as your HOME_NET and EXTERNAL_NET:
var HOME_NET [192.168.1.0/24]
var EXTERNAL_NET !$HOME_NET
Also be aware if you are using any ethernet switches, or a switch built
into the router, snort will only see traffic relating to the switch port
snort is connected to.
More information about the Snort-users