Snort mailing list archives
RE: Snort on home DSL connection
From: "Bell, Josh" <josh.bell () guidancesoftware com>
Date: Sun, 28 Dec 2003 15:08:09 -0800
The problem there is Snort is listening outside my firewall - and since I'm using NAT, that interface will never see a packet to/from 192.168.x.x. It'll only see packets to/from the dynamic IP my ISP gave me. -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Thu 12/25/2003 6:33 AM To: Bell, Josh Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort on home DSL connection On Wed, 24 Dec 2003, Bell, Josh wrote: > Another Snort newb here... > > I've set up a Snort box at home so I can have an 'expendable' box to > experiment and learn on. I have an SBC DSL connection. The DSL line > runs into my DSL modem, from there to a little hub, and from there to a > Linksys-type router/firewall, where my machines are connected. It's a > PPPoE DSL connection so my IP can and does change rather frequently. > > On my Snort box, eth0 is connected to the 'inside' network with an > RFC1918 address and eth1 is connected to the hub in promiscuous mode. > It receives all traffic that hits the hub, the only problem I have is I > don't know how to set the HOME_NET variable. I can't use eth0's IP > because that's just a 192.168 address. Eth1 has no IP and I don't want > to statically plug in in there. Can I use a DNS name? I have a DYNDNS > account which in theory is updated regularly and should be the IP of my > router. If not, is there some way of telling it to use whatever IP is > currently assigned to a particular MAC? Use the 192.158.x.x address as HOME_NET. After all you're looking to see what is coming from the internet (var EXTERNAL_NET !$HOME_NET) that's coming at you (PPPoE). Since Snort doesn't handle PPPoE that well, you're better off to listen to the 'inside' interface (192.168.x.x) and see what's passing "thru" the router/gateway. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson Note: The information contained in this message may be privileged and confidential and thus protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on home DSL connection Bell, Josh (Dec 24)
- Re: Snort on home DSL connection Erek Adams (Dec 25)
- <Possible follow-ups>
- RE: Snort on home DSL connection Bell, Josh (Dec 28)