Snort mailing list archives
snort and openbsd
From: Paul Greene <pauljgreene () comcast net>
Date: Sat, 20 Jul 2002 21:36:54 -0400
I would like to set up an IDS bridge using Snort and OpenBSD (the beginning stages of a honeypot).
The configuration is a home setup, using a cable modem, with another obsd box running NAT connected to the cable modem, providing access to the internal LAN.
To test the install of obsd and snort, I first connected the honeypot box to a hub shared with the NAT box. It was catching and logging alerts just fine.
So then, I reconfigured the honeypot box as a bridge by creating the following three files:
hostname.xl0 --> media 10BaseT up hostname.dc0 --> media 10BaseT up bridgename.bridge0 --> add xl0 add dc0 upI then ran a CAT5 cable from the cable modem to xl0, a crossover cable from dc0 to the NAT box. The honeypot box seems to work fine as a bridge; traffic flows from and to the internet just fine from the rest of the internal network.
However, snort doesn't appear to be logging anything. I tried running nmap on an external address, and also went to www.grc.com and ran a port scan back against my own network, but nothing was logged.
I tried leaving the variables for HOME_NET and EXTERNAL_NET to the default "any" and "$HOME_NET" respectively, and also tried:
var HOME_NET 192.168.0.0/24 var EXTERNAL_NET !192.168.0.0/24This is the command I'm using to fire up snort (plagiarized directly from chapter 1 of the writing rules);
/usr/local/bin/snort -b -A fast -c /usr/local/share/examples/snort/snort.conf Can anyone help out a snort newbie? Paul Greene ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort and openbsd Paul Greene (Jul 20)