Snort mailing list archives

Previous By Date Next
Previous By Thread Next

snort and openbsd

From: Paul Greene <pauljgreene () comcast net>
Date: Sat, 20 Jul 2002 21:36:54 -0400
I would like to set up an IDS bridge using Snort and OpenBSD (the beginning stages of a honeypot).
The configuration is a home setup, using a cable modem, with another obsd box running NAT connected to the cable modem, providing access to the internal LAN.
To test the install of obsd and snort, I first connected the honeypot box to a hub shared with the NAT box. It was catching and logging alerts just fine.
So then, I reconfigured the honeypot box as a bridge by creating the following three files: 

hostname.xl0    -->  media 10BaseT up
hostname.dc0 -->     media 10BaseT up
bridgename.bridge0 -->               add xl0
                                add dc0
                                up
I then ran a CAT5 cable from the cable modem to xl0, a crossover cable from dc0 to the NAT box. The honeypot box seems to work fine as a bridge; traffic flows from and to the internet just fine from the rest of the internal network.
However, snort doesn't appear to be logging anything. I tried running nmap on an external address, and also went to www.grc.com and ran a port scan back against my own network, but nothing was logged.
I tried leaving the variables for HOME_NET and EXTERNAL_NET to the default "any" and "$HOME_NET" respectively, and also tried: 

var HOME_NET 192.168.0.0/24
var EXTERNAL_NET !192.168.0.0/24
This is the command I'm using to fire up snort (plagiarized directly from chapter 1 of the writing rules); 

/usr/local/bin/snort -b -A fast -c /usr/local/share/examples/snort/snort.conf

Can anyone help out a snort newbie?

Paul Greene




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: