Snort mailing list archives
Re: Something I don't understand...
From: Bob Hillegas <bobhillegas () pdq net>
Date: Tue, 28 Aug 2001 13:08:56 -0500 (CDT)
On Tue, 28 Aug 2001, John Sage wrote:
Date: Tue, 28 Aug 2001 09:54:06 -0700 From: John Sage <jsage () finchhaven com> To: Bob Hillegas <bobhillegas () pdq net> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Something I don't understand... Bob: Quick thought: Bob Hillegas wrote:I am running snort Version 1.8.1-RELEASE (Build 74) on RH7.1. Snort is started using the command line: snort -i ppp0 -u snort -g snort -z est -c /etc/snort/snort.conf -DHow does the interface ppp0 match up with running in -D daemon mode? What I'm wondering is, is your ppp link eternal, and the IP never-changing? If your ppp link comes up and down like mine (I'm a dialup..) and you have a dynamic IP, how does snort running in daemon mode know that a new IP address has been assigned without snort restarting?
On RH7.1, I'm using ppp on-demand. When ppp is setup (using /etc/sysconfig/network-scripts/ifup-ppp) it invokes ppp-watch to monitor the ppp0 port. When it triggers, it runs /etc/ppp/ip-up which runs ifup-post. That in turn references ifup-local (if it exists). I added ifup-local to awk the ipaddress assigned by my ISP out of `/sbin/ifconfig`. This gets passed to my ipchains script. I could also pass it to my snort script, but $ppp0-ADDRESS does the same thing, so I use that, as in var HOME_NET $ppp0_ADRESS. Conversely, I use /etc/sysconfig/network-scripts/ifdown-local to issue kill -TERM snort.pid. There's some more plunbing involved, but that's the gist of it.
The snort.conf rule set is v 1.62 2001/08/12. The snort.conf (without comments) is appended below. I am connected to the internet using ppp0 over a 56K modem. I use ipchains to DENY everything but ports 25, 110, 80 (squid), 53, and ICMP.Not to digress into ipchains/ports philosophy, but are you offering services to the outside world such that people need to connect to you on 25, 110, 53 and 80?
Port 25 is for outgoing SMTP (Postfix), 110 is for incoming POP3 (Fetchmail), 80 is for HTTP, also 443 HTTPS (squid), 53 is for DNS (bind9).
Are you offering nameservice to the outside world, for example?
No just a cacjing and forwarding server, so that I can resolve internal addresses and resolve cached addresses without forcing up the ppp0 line each time a resolution is needed.
Just wondering... - John
-- ------------------------------------------------- Bob Hillegas <bobhillegas () pdq net> 281.546.9311 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Something I don't understand... Bob Hillegas (Aug 27)
- Re: Something I don't understand... John Sage (Aug 28)
- Re: Something I don't understand... Bob Hillegas (Aug 28)
- Re: Something I don't understand... John Sage (Aug 28)
- Re: Something I don't understand... Bob Hillegas (Aug 28)
- Re: Something I don't understand... Bob Hillegas (Aug 28)
- Re: Something I don't understand... John Sage (Aug 28)