Re: Snort Box IP assigned by DHCP

[Paul Schmehl <pauls () utdallas edu>]

Paul Schmehl wrote:
> Palula Brasil wrote:
> > Hi there!
> >  
> > Here is the problem. Every time I turn on the box, I have to look at 
> > the IP assigned by the ISP, edit snort.conf and, in the HOME_NET 
> > variable, I put the DHCP assigned address manually and after that, I 
> > start Snort and it works fine.
> >  
> > What I'd like to know is: Is there a way for me to automatically have 
> > snort to know what IP has been assigned and work with that IP. I've 
> > used both of these variables and it didn't work:
> >  
> > var HOME_NET $eth0_ADDRESS
> > and
> > var HOME_NET $eth0
> >  
> > But still... None worked.
> >  
> > Does Linux need some kind of program to make global variables work?
>
> Try this and see if it works:
> var HOME_NET `ifconfig eth0 | grep inet | awk '{print $2}'`
>
> If that doesn't work, create a small script that assigns that value to 
> an environmental variable and then assign that variable to snort's 
> HOME_NET.
>
> Like this:
>
> #!/bin/bash
> MYIP=`ifconfig eth0 | grep inet | awk '{print $2}'`
> export MYIP
>
> Then, in snort.conf
> var HOME_NET $MYIP
>
> Don't know if either of those will work, but it's worth a try.  If the 
> script works, you'd need to run it on startup, so put it in init.d.
This is probably a better idea (thanks to Jason).

in snort.conf replace var HOME_NET with #include home_net.var

then in the snort startup do

echo "var HOME_NET `ifconfig eth0 | grep inet | awk '{print $2}'`/32" >
home_net.var

If you're unfamiliar with unix comands. please note that I'm using 
backticks before ifconfig and after the awk statement (`).  Those are 
absolutely necessary.  You also need to add the /32, which I forgot and 
Jason pointed out to me.

--
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature