Date: Wed, 20 Sep 2000 10:21:36 -0700 From: "Timothy L. Robertson" <timothyr@timothyr.com> To: <snort-users@lists.sourceforge.net>, <freebsd-questions@freebsd.org> Subject: [Summary] New Snort Configuration (FreeBSD 4.1S) Message-ID: <NEBBKDBFKKIDPAPJPFOPIELMCEAA.timothyr@timothyr.com> In-Reply-To: <Pine.BSF.4.21.0009190710140.244-100000@beez.siamrelay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I thought I'd post a little summary reflecting my experiences installing snort so others who search the mailing list archives can find it. My home network consists of a DSL modem that is connected to an Ethernet interface of my FreeBSD 4.1-STABLE box, which acts as firewall and gateway to my private network on another Ethernet interface. I connect to my ISP using PPPoE and the netgraph kernel modules as described at http://www.freebsd.org/handbook/pppoe.html. I installed snort by cvsuping the latest ports tree and doing a make install in /usr/ports/security/snort. Because my ISP gives me a dynamic IP address, I could not just use snort out of the box since /usr/local/share/snort/snort-lib requires hardcoding the IP address into the variable $HOME_NET. Thanks to Gregor Binder, Vitaly McLain, and Fyodor for pointing me to a script by Sten Kalenda Apeldoorn on the snort webpage which rewrites the snort-lib to reflect the dynamically assigned IP address. The script assumes a System V style ifconfig and had to be modified slightly to accommodate Berkeley Unix. (Script attached below.) Finally, I saved this script as /etc/snortstart.sh and added the line /bin/sh /etc/snortstart.sh to /etc/rc.local. This approach works fine on my system, but may run into some difficulty on systems where the DHCP server reassigns an IP address after lease expiration; in that case /etc/ppp/ppp.linkup might be a more appropriate location. To test my installation I did portscans from http://www.cablemodemhelp.com/portscan.htm and HackerWhacker.com and saw alerts flashed to the console and logged to /var/log/snort. For more extensive testing one could install nmap from www.insecure.org as suggested by Blake Frantz. Thanks to everyone who helped and Happy Snorting! -Tim timothyr@timothyr.com -----Begin /etc/snortstart.sh--------------------------------- #!/bin/sh # address_config.sh -v0.2 # Handy script for laptop users that change their # IP address frequently. This automates the # process of updating your Snort rules file. # You might find his little script can be useful, enjoy... # Sten Kalenda Apeldoorn The Netherlands # ------------------ MODIFY HERE --------------------------------------- IF0=tun0 MASK="32" SNORTDIR="/usr/local/bin" SNORTLIBDIR="/usr/local/share/snort" SNORTLOGDIR="/var/log/snort" # ------------------ DO NOT CHANGE BELOW ------------------------------- if [ ! -d "$SNORTLIBDIR" ] ; then echo Directory $SNORTLIBDIR not found exit fi cd $SNORTLIBDIR if [ ! -e "$SNORTLOGDIR" ] ; then mkdir $SNORTLOGDIR chmod 700 $SNORTLOGDIR fi MYIP=`/sbin/ifconfig $IF0 | tail -2 | head -1| awk '{print $2}'` #MYIP="216.175.89.29" CHG=s\/10\.1\.1\.0\\/24/$MYIP\\/$MASK/g cat snort-lib | sed $CHG > snort-lib_run # This is the line which starts snort. Change command line options here. $SNORTDIR/snort -svD -A full -l $SNORTLOGDIR -c $SNORTLIBDIR/snort-lib_run -i $IF0 -----End /etc/snortstart.sh----------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NEBBKDBFKKIDPAPJPFOPIELMCEAA.timothyr>