From owner-freebsd-questions Tue Sep 19 22:22:54 2000 Delivered-To: freebsd-questions@freebsd.org Received: from tisch.mail.mindspring.net (tisch.mail.mindspring.net [207.69.200.157]) by hub.freebsd.org (Postfix) with ESMTP id A61DC37B422 for ; Tue, 19 Sep 2000 22:22:51 -0700 (PDT) Received: from timothyr.net (user-vcaumvk.dsl.mindspring.com [216.175.91.244]) by tisch.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id BAA01607; Wed, 20 Sep 2000 01:22:45 -0400 (EDT) Received: from sloth (sloth [192.168.1.5]) by timothyr.net (8.11.0/8.11.0) with SMTP id e8K5MdH33686; Tue, 19 Sep 2000 22:22:39 -0700 (PDT) (envelope-from timothyr@timothyr.com) From: "Timothy L. Robertson" To: , Subject: [Summary] New Snort Configuration (FreeBSD 4.1S) Date: Wed, 20 Sep 2000 10:21:36 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-reply-to: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I thought I'd post a little summary reflecting my experiences installing snort so others who search the mailing list archives can find it. My home network consists of a DSL modem that is connected to an Ethernet interface of my FreeBSD 4.1-STABLE box, which acts as firewall and gateway to my private network on another Ethernet interface. I connect to my ISP using PPPoE and the netgraph kernel modules as described at http://www.freebsd.org/handbook/pppoe.html. I installed snort by cvsuping the latest ports tree and doing a make install in /usr/ports/security/snort. Because my ISP gives me a dynamic IP address, I could not just use snort out of the box since /usr/local/share/snort/snort-lib requires hardcoding the IP address into the variable $HOME_NET. Thanks to Gregor Binder, Vitaly McLain, and Fyodor for pointing me to a script by Sten Kalenda Apeldoorn on the snort webpage which rewrites the snort-lib to reflect the dynamically assigned IP address. The script assumes a System V style ifconfig and had to be modified slightly to accommodate Berkeley Unix. (Script attached below.) Finally, I saved this script as /etc/snortstart.sh and added the line /bin/sh /etc/snortstart.sh to /etc/rc.local. This approach works fine on my system, but may run into some difficulty on systems where the DHCP server reassigns an IP address after lease expiration; in that case /etc/ppp/ppp.linkup might be a more appropriate location. To test my installation I did portscans from http://www.cablemodemhelp.com/portscan.htm and HackerWhacker.com and saw alerts flashed to the console and logged to /var/log/snort. For more extensive testing one could install nmap from www.insecure.org as suggested by Blake Frantz. Thanks to everyone who helped and Happy Snorting! -Tim timothyr@timothyr.com -----Begin /etc/snortstart.sh--------------------------------- #!/bin/sh # address_config.sh -v0.2 # Handy script for laptop users that change their # IP address frequently. This automates the # process of updating your Snort rules file. # You might find his little script can be useful, enjoy... # Sten Kalenda Apeldoorn The Netherlands # ------------------ MODIFY HERE --------------------------------------- IF0=tun0 MASK="32" SNORTDIR="/usr/local/bin" SNORTLIBDIR="/usr/local/share/snort" SNORTLOGDIR="/var/log/snort" # ------------------ DO NOT CHANGE BELOW ------------------------------- if [ ! -d "$SNORTLIBDIR" ] ; then echo Directory $SNORTLIBDIR not found exit fi cd $SNORTLIBDIR if [ ! -e "$SNORTLOGDIR" ] ; then mkdir $SNORTLOGDIR chmod 700 $SNORTLOGDIR fi MYIP=`/sbin/ifconfig $IF0 | tail -2 | head -1| awk '{print $2}'` #MYIP="216.175.89.29" CHG=s\/10\.1\.1\.0\\/24/$MYIP\\/$MASK/g cat snort-lib | sed $CHG > snort-lib_run # This is the line which starts snort. Change command line options here. $SNORTDIR/snort -svD -A full -l $SNORTLOGDIR -c $SNORTLIBDIR/snort-lib_run -i $IF0 -----End /etc/snortstart.sh----------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message