RE: Difficulty setting HOME_NET to my interface address

["L. Christopher Luther" <CLuther () Xybernaut com>]

The HOME_NET variable in snort.conf does not except the value of the
interface name; it is designed to use the IP network for which your computer
is a member.  For example:  

   var HOME_NET 10.1.3.0/24     [to specify an entire Class C network]
   var HOME_NET 192.168.0.1/32  [to specify a single host as the 'network']

Or any variation of thereof.  

The problem you're faced with is the ever changing IP address that your
cable provider gives you.  There is not much you can do about this, except
obtain a statis IP address or ask your cable provider for longer DHCP lease.
I've got a 180-day DHCP lease from my cable provider.  

Also, depending on the O/S you're using for your Snort sensor, you may be
able to cobble together a script that periodically queries the Snort sensor
to detect an IP change, then modify the snort.conf file, and restart Snort.


My $0.02 ...

Christopher


-----Original Message-----
Message: 1
From: "Charles Darwin" <darwin () netmadeira com>
To: <Snort-users () lists sourceforge net>
Date: Fri, 14 Feb 2003 01:33:09 -0000
Subject: [Snort-users] Difficulty setting HOME_NET to my interface address


I'm having great difficulty doing this, because snort.config does not =
seems to accept my interface name when setting HOME_NET.
As a cable modem user I've great interest on doing this, as my IP =
changes oftenly.

Doing snort -W I get a list of my interfaces:

Interface       Device          Description
-------------------------------------------
1  \Device\NPF_NdisWanIp (NdisWan Adapter (Microsoft's Packet Scheduler) =
)
2 \Device\NPF_NdisWanIpx (NdisWan Adapter)
3 \Device\NPF_NdisWanBh (NdisWan Adapter (Microsoft's Packet Scheduler) =
)
4 \Device\NPF_{B42CDDC9-B4BB-42BB-86A5-456FB6192510} (Realtek =
8139-series PCI NI
C                                                       (Microsoft's =
Packet Sche
duler) )
5 \Device\NPF_{10B946B4-4170-4447-9D02-6D2E135640BB} (Realtek =
8139-series PCI NI
C                                                       (Microsoft's =
Packet Sche
duler) )


The interface I want is the 5.

Then on snort.conf I write:

var HOME_NET $\Device\NPF_{10B946B4-4170-4447-9D02-6D2E135640BB}_ADDRESS =

(line 48)

then snort -T

the result is:

------------------------------------
C:\Snort>snort  -T
Initializing Output Plugins!
Log directory = log

Initializing Network Interface \
using config file ./snort.conf
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file ./snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR => Undefined variable name: (./snort.conf:48):
Fatal Error, Quitting..
----------------------------------------

Does anyone have an ideia of what I'm doing wrong?

Kind regards,

Paulo Santos Perneta <pperneta () netmadeira com>