Re: snort on a worksation (fc1) <-- router <-- cable-modem <-- internet

[Matt Kettler <mkettler () evi-inc com>]

At 04:52 PM 5/11/2004, steph march wrote:
> I would like to monitor for internet activity
> and not the internal activity, but I'm having
> trouble understanding how to do that with a router.
> (and for sure, activity on the workstation with
> snort, which is, let say, 192.168.1.3)
>
> So it will look like this :
> var HOME_NET [192.168.1.0/24]
>
> but what happen if 192.168.1.1 is the router ?

What about it? Do you honestly expect packets to be addressed to 
192.168.1.1 (other than arps)?

You won't be able to see any internet traffic addressed directly to the 
router, but that would be impossible anyway. Internet traffic to the router 
is going to be addressed to the outside interface address, not the inside 
address, and you'll only be able to see that traffic by tapping inbetween 
the cablemodem and the router.



> and what about the workstation with snort (192.168.1.3) ?

So? Do you want to monitor internet traffic being a

It sounds like you want the following as your HOME_NET and EXTERNAL_NET:

var HOME_NET [192.168.1.0/24]
var EXTERNAL_NET !$HOME_NET


Also be aware if you are using any ethernet switches, or a switch built 
into the router, snort will only see traffic relating to the switch port 
snort is connected to.




-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users