Date: Mon, 14 Jan 2002 15:29:59 -0000 From: Lee Brotherston <lee.brotherston@uk.easynet.net> To: 'Haikal Saadh' <wyldephyre2@yahoo.com>, 'Krzysztof Zaraska' <kzaraska@student.uci.agh.edu.pl>, freebsd-security@freebsd.org Subject: RE: Which intrusion detection to use? Message-ID: <7052044C7D7AD511A20200508B5A9C58516AF7@MAGRAT>
next in thread | raw e-mail | index | archive | help
| What I'd like to someone to clarify for me is: | Is snort actually seeing incoming packets on my outside interface, and | I've been really lucky so far | OR | Is snort not hearing anything on my outside interface? (tun0) Have you tried waiting until the dialup connection is established then running snort with: -i tun0 This specifies which interface to listen on. You will of course not see any traffic on your local lan anymore, as it will not be sniffing the interface connected to your hub/switch. It should however pickup the inbound traffic and any local traffic that goes out over the interface. If you want to get paranoid run snort on all interfaces and compare the results :) Normally you need to run an instance per interface, unless you're using a linux 2.1.x/2.2.x kernel. If you are you might want to see http://www.snort.org/docs/faq.html#3.4 Thanks Lee -- Lee Brotherston - IP Security Manager, Easynet Ltd http://www.easynet.net/ Phone: +44 20 7900 4444 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7052044C7D7AD511A20200508B5A9C58516AF7>