Re: HOME_NET question...

[John Sage <jsage () finchhaven com>]

On Mon, Apr 22, 2002 at 01:42:54PM -0700, Erek Adams wrote:
> On Mon, 22 Apr 2002, Bob Hillegas wrote:

<snippage>

> > I am experimenting with logging all packets in the -b format. I intend to
> > scan them later using snort -r to extract any alerts.

Bob: this is exactly what I'm doing: dialup; snort running -b to
capture everything; custom rules that alert on interesting events.

> > THE PROBLEM is that I'm on a dialip connection where the $ppp0_ADDRESS
> > changes on each connection. Is there anyway to tell from the snort.log
> > file what the current $HOME_NET was at the time of capture?
>
> Not to my knowledge.

Not to my knowledge either..

hmm.. I'm getting the -b binary logging into something like this:

snort-0421 () 1853 log

which is the date and time of the connection start; alerts go to this:

alert184.full-0421 () 1853 log

from this in snort.conf:

# output alert_full
output alert_full: /var/log/snort/alert184.full
# keep as from 1.8.2

(the *184* just confirms what version of snort was running..)


Are you not getting something similar?

I start snort from a line within the shell script that brings up my
ipchains firewall:

/usr/bin/snort184 -b -i ppp0 -o -c /usr/local/snort-1.8.4/snort184.conf &

and in snort.conf I have:

# var HOME_NET any
var HOME_NET $ppp0_ADDRESS
# keep as from 1.8.2




- John
-- 
In those days, you could not buy a $2000 200MHz Pentium server.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users