Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: newbie configuration issues

From: Paul Greene <pauljgreene () comcast net>
Date: Wed, 24 Jul 2002 09:16:00 -0400
At 10:14 PM 7/23/2002 -0700, John Sage wrote:

Paul:

On Tue, Jul 23, 2002 at 09:58:01PM -0400, Paul Greene wrote:
> Hello All;
>
> I recently installed Snort on an "IDS bridge" using OpenBSD.

So the "IDS bridge" is a box with -- what? -- two NIC's? Are the NIC's
assigned IP addresses, or are they address-less?

If this is the case, you may want to check the list archives, and the
FAQ's 3.1 and 3.2...
Two NICS with no IP addresses. The intention is to make the box invisible on the network, and also put it in front of the gateway box running NAT so that it sees all incoming traffic, not just the traffic that makes it past the gateway/NAT box. As a bridge it seems to work fine; there's no problem with traffic getting in and out. I'm basing this on the concept of a "bridging firewall", but I don't want to block any traffic at this point; so I'm trying to modify the concept to be a "bridging IDS". 


How do you have $HOME_NET and $EXTERNAL_NET set?
These haven't been changed from the default snort.conf file. Frankly I wasn't sure what to do with these. 

var HOME_NET any
var EXTERNAL_NET $HOME_NET
> The setup is a cable modem. The "IDS bridge" is between the cable modem and 
> the NAT box (another openbsd box). The NAT box is dynamically assigned an
> IP address in the 68.48.xxx.xxx range by the cable company. The internal
> network is a 192.168.0.0/24 network.

If you're getting a dynamically-assigned IP address back on the NAT
box, /* somehow I'm having a hard time picturing this: the modem and
the "IDS bridge" are just acting as though they're wire: packets just
pass through with their IP addresses unexamined? */ how do you account
for that relative to $HOME_NET?
The ISP changes the IP number about every 4-6 weeks, but I haven't used that IP number in any configuration files yet anyway 


Do you have some equivalent to:

var HOME_NET $ppp0_ADDRESS
Just the default listed above. I have to plead ignorance on this point, though this is likely where the problem lies. 


- John


Paul




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: