I would like to use snort http://www.snort.org/ as an intrusion detections system (IDS) an my dial-up PC. Internet <-> ISP <-> ISDN (ippp0) PC1 (eth0) <-> (eth0) PC2 As soon as I dial-up, I will get an dynamically assigned IP address, e.g. 213.54.32.190. So the above example could have the following IP addresses: IN <-> 212.122.151.50 <-> 213.54.32.190 (ipp0 local IP address) 192.168.17.1 (eth0) <-> 192.168.17.2 ISP PC1 PC2 I only want to use the IDS when I'm online. So I thought I could just add a call to "rcsnort" in /etc/ppp/ip-up ip-up) /usr/sbin/rcsnort start ;; ip-down) /usr/sbin/rcsnort stop ;; Depending on my /etc/rc.config, snort will get started like that: /usr/sbin/snort -D -i ippp0 -c /etc/snort/snort.conf Note that it uses the ISDN interface (ippp0) 1. Do I have to use "ippp0" or "eth0"? I guess, I can't put an ISDN card in promiscous mode, can I? The Snort FAQ states the following: | Q: IP address is assigned dynamically to my interface, can I use | snort with it? | | A: Yes. With snort 1.7 and later, <interface>_ADDRESS variable is | available. | The value of this variable will be always set to IP | address/Netmask of the interface which you run snort at. if | interface goes down and up again (and an IP address is | reassigned) you will have to restart snort. For earlier | versions of snort numerous scripts to achieve the same result | are available. 2. How/where do I use this variable? I read the FAQ and some READMEs but still can't find the answers to my questions. I would really like to use snort, since tests on my local network (eth0) with snort and ACID (PHP bases analysis engine) run smoothly. Mark PS: There is an article about IDS systems (and especially Snort) in the German computer magazine c't 8/01.
Mark Lutz wrote:
The Snort FAQ states the following:
| Q: IP address is assigned dynamically to my interface, can I use | snort with it? | | A: Yes. With snort 1.7 and later, <interface>_ADDRESS variable is | available. | The value of this variable will be always set to IP | address/Netmask of the interface which you run snort at. if | interface goes down and up again (and an IP address is | reassigned) you will have to restart snort. For earlier | versions of snort numerous scripts to achieve the same result | are available.
2. How/where do I use this variable?
AFAIK in /etc/snort/snort-lib file you define the HOME_NETWORK as var HOME_NETWORK 192.168.1.0/24 then you define the EXTERNAL_NET and this could be var EXTERNAL_NET !$HOME_NETWORK this way by using the negation mark "!" and the defined variable HOME_NETWORK anything that is not HOME_NETWORK is assumed EXTERNAL HTH -- Togan Muftuoglu
* Mark Lutz wrote on Fri, Apr 13, 2001 at 04:18 +0200:
1. Do I have to use "ippp0" or "eth0"? I guess, I can't put an ISDN card in promiscous mode, can I?
You shouldn't need it. On ethernet devices, promiscous mode is nessecary to get the device to let any packets to the kernel (otherwise, non-broadcast packets to different MAC addresses would be not seen by the kernel). On peer-to-peer devices it's different because they don't work on a bus but peer to peer, so the kernel processes all received packets anyways. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (3)
-
Mark Lutz
-
Steffen Dettmer
-
Togan Muftuoglu