Snort mailing list archives
RE: Difficulty setting HOME_NET to my interface address
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Sat, 15 Feb 2003 00:37:09 -0500
Based on Erek Adams' post, I posted an update to my original reply --
basically, I'm thinking there's an anomaly w/ Snort handling interface names
that contain '\' characters.
However, as a simple answer to your question (see below), you could write a
CMD script that runs the XP ipconfig command, greps the 'IP Address'
information (PERL is good for this), and uses the IP address information to
generate a new snort.conf. Possibly by concatenating 'pieces' of various
text files together. For example, the flow of your CMD script *might* look
something like this:
ipconfig | grep "IP Address" > ip.txt
perl getip.pl < ip.txt
copy snort.conf.hdr + home_net.txt + snort.conf.tail
c:\bin\snort\snort.conf
kill snort
snort [some command line options]
(note 1: I can send you a nice Win32 port of grep if you don't have
one)
(note 2: getip.pl creates a home_net.txt file that contains "var
HOME_NET some-ip-address)
(note 3: You write getip.pl)
(note 4: sysinternals.com has a nice 'kill' utility called 'pskill')
Of course, there are other utils/scripts which one could use to dynamically
generate a new snort.conf file, and unfortunately for us Win32 folks, most
of the utils/scripts that have been written are *nix based. :{
Cheers!
- Christopher
-----Original Message-----
From: Paulo Santos Perneta [mailto:pperneta () netmadeira com]
Sent: Friday, February 14, 2003 7:51 PM
To: L. Christopher Luther
Cc: Snort-Users (E-mail)
Subject: Re: Difficulty setting HOME_NET to my interface address
I'm running Win XP currently.
I was thinking in something like detect the traffic between my machine and
the DHCP, and when detected a change of IP actualize the var $HOME_NET.
Is this possible to do with the snort rules?
Thanks for your help.
Paulo Santos Perneta <pperneta () netmadeira com>
----- Original Message -----
From: L. Christopher Luther
Also, depending on the O/S you're using for your Snort sensor, you may be
able to cobble together a script that periodically queries the Snort sensor
to detect an IP change, then modify the snort.conf file, and restart Snort.
Current thread:
- RE: Difficulty setting HOME_NET to my interface address, (continued)
- RE: Difficulty setting HOME_NET to my interface address L. Christopher Luther (Feb 14)
- Re: RE: Difficulty setting HOME_NET to my interface address Erek Adams (Feb 14)
- Re: RE: Difficulty setting HOME_NET to my interface address Paulo Santos Perneta (Feb 15)
- Re: Difficulty setting HOME_NET to my interface address Paulo Santos Perneta (Feb 15)
- Re: RE: Difficulty setting HOME_NET to my interface address Erek Adams (Feb 14)
- RE: Difficulty setting HOME_NET to my interface address Charles Darwin (Feb 14)
- Re: RE: Difficulty setting HOME_NET to my interface address Erek Adams (Feb 15)
- Re: RE: Difficulty setting HOME_NET to my interface address Chris Reid (Feb 16)
- Re: RE: Difficulty setting HOME_NET to my interface address Charles Darwin (Feb 16)
- Re: RE: Difficulty setting HOME_NET to my interface address Paulo Santos Perneta (Feb 17)
- Re: RE: Difficulty setting HOME_NET to my interface address Erek Adams (Feb 15)
- RE: Difficulty setting HOME_NET to my interface address L. Christopher Luther (Feb 14)
- Difficulty setting HOME_NET to my interface address Charles Darwin (Feb 14)
- RE: Difficulty setting HOME_NET to my interface address L. Christopher Luther (Feb 14)
- RE: Difficulty setting HOME_NET to my interface address Charles Darwin (Feb 16)
- RE: Difficulty setting HOME_NET to my interface address Chris Reid (Feb 16)
- RE: Difficulty setting HOME_NET to my interface address Chris Reid (Feb 16)
- RE: Difficulty setting HOME_NET to my interface address L. Christopher Luther (Feb 16)