Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort on home DSL connection

From: "Bell, Josh" <josh.bell () guidancesoftware com>
Date: Sun, 28 Dec 2003 15:08:09 -0800
The problem there is Snort is listening outside my firewall - and since I'm using NAT, that interface will never see a 
packet to/from 192.168.x.x.  It'll only see packets to/from the dynamic IP my ISP gave me.

        -----Original Message----- 
        From: Erek Adams [mailto:erek () snort org] 
        Sent: Thu 12/25/2003 6:33 AM 
        To: Bell, Josh 
        Cc: snort-users () lists sourceforge net 
        Subject: Re: [Snort-users] Snort on home DSL connection
        
        

        On Wed, 24 Dec 2003, Bell, Josh wrote:
        
        > Another Snort newb here...
        >
        > I've set up a Snort box at home so I can have an 'expendable' box to
        > experiment and learn on.  I have an SBC DSL connection.  The DSL line
        > runs into my DSL modem, from there to a little hub, and from there to a
        > Linksys-type router/firewall, where my machines are connected.  It's a
        > PPPoE DSL connection so my IP can and does change rather frequently.
        >
        > On my Snort box, eth0 is connected to the 'inside' network with an
        > RFC1918 address and eth1 is connected to the hub in promiscuous mode.
        > It receives all traffic that hits the hub, the only problem I have is I
        > don't know how to set the HOME_NET variable.  I can't use eth0's IP
        > because that's just a 192.168 address.  Eth1 has no IP and I don't want
        > to statically plug in in there.  Can I use a DNS name?  I have a DYNDNS
        > account which in theory is updated regularly and should be the IP of my
        > router.  If not, is there some way of telling it to use whatever IP is
        > currently assigned to a particular MAC?
        
        Use the 192.158.x.x address as HOME_NET.  After all you're looking to see
        what is coming from the internet (var EXTERNAL_NET !$HOME_NET) that's
        coming at you (PPPoE).  Since Snort doesn't handle PPPoE that well, you're
        better off to listen to the 'inside' interface (192.168.x.x) and see
        what's passing "thru" the router/gateway.
        
        Cheers!
        
        -----
        Erek Adams
        
           "When things get weird, the weird turn pro."   H.S. Thompson
 
Note:  The information contained in this message may be privileged and confidential and thus protected from disclosure. 
 If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited.  If you have received this communication in error, please notify us immediately 
by replying to the message and deleting it from your computer.  Thank you.



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: