I would like to use snort http://www.snort.org/ as an intrusion detections system (IDS) an my dial-up PC. Internet <-> ISP <-> ISDN (ippp0) PC1 (eth0) <-> (eth0) PC2 As soon as I dial-up, I will get an dynamically assigned IP address, e.g. 213.54.32.190. So the above example could have the following IP addresses: IN <-> 212.122.151.50 <-> 213.54.32.190 (ipp0 local IP address) 192.168.17.1 (eth0) <-> 192.168.17.2 ISP PC1 PC2 I only want to use the IDS when I'm online. So I thought I could just add a call to "rcsnort" in /etc/ppp/ip-up ip-up) /usr/sbin/rcsnort start ;; ip-down) /usr/sbin/rcsnort stop ;; Depending on my /etc/rc.config, snort will get started like that: /usr/sbin/snort -D -i ippp0 -c /etc/snort/snort.conf Note that it uses the ISDN interface (ippp0) 1. Do I have to use "ippp0" or "eth0"? I guess, I can't put an ISDN card in promiscous mode, can I? The Snort FAQ states the following: | Q: IP address is assigned dynamically to my interface, can I use | snort with it? | | A: Yes. With snort 1.7 and later, <interface>_ADDRESS variable is | available. | The value of this variable will be always set to IP | address/Netmask of the interface which you run snort at. if | interface goes down and up again (and an IP address is | reassigned) you will have to restart snort. For earlier | versions of snort numerous scripts to achieve the same result | are available. 2. How/where do I use this variable? I read the FAQ and some READMEs but still can't find the answers to my questions. I would really like to use snort, since tests on my local network (eth0) with snort and ACID (PHP bases analysis engine) run smoothly. Mark PS: There is an article about IDS systems (and especially Snort) in the German computer magazine c't 8/01.