[Snort-users] My Snort IDS Sensor Detected Nessus Vulnerability Scan

waldo kitty wkitty42 at ...14940...
Sat Apr 19 10:54:51 EDT 2014


On 4/19/2014 6:38 AM, Teo En Ming wrote:
> Dear Eric G,
>
> I added my internet-facing IP address to HOME_NET but alerts did not increase
> tremendously. Here is my newly modified HOME_NET variable:
>
> ipvar HOME_NET [192.168.1.0/24,175.156.117.62]
>
> Please note that my internet-facing IP address is dynamic. Every time it
> changes, I would have to modify snort.conf accordingly.

you can easily take care of that by using an include file that is updated via a 
script every time your WAN IP changes... the script would update the include 
file to contain your new WAN address as well as your internal address 
range(s)... the script can also gather your new DNS server addresses from the 
ppp or dhcp connection and update those in the include file... after updating 
the include file, the script would then restart snort so the new addresses are 
being used...

eg: snort.conf
[...]
###################################################
# Step #1: Set the network variables.  For more information, see README.variables
###################################################

# Setup the network addresses you are protecting
include /etc/snort/homenet.txt
[...]


eg: homenet.txt would contain the following when updated
ipvar HOME_NET [your.wan.ip.address/32,your.internal.address.range]
ipvar DNS_SERVERS [8.8.8.8,8.8.4.4]


you would also need comment out the existing DNS_SERVERS entry in your 
snort.conf if those might change with your dynamic IP since they are also 
included in the include file... you don't need to define the dns servers in the 
include file and update them with the script if they never change but if they 
do, it is important that you update them...



-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list