Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 Jan 2002 21:24:09 +0500
From:      "Haikal Saadh" <wyldephyre2@yahoo.com>
To:        "'Lee Brotherston'" <lee.brotherston@uk.easynet.net>, "'Krzysztof Zaraska'" <kzaraska@student.uci.agh.edu.pl>, <freebsd-security@freebsd.org>
Subject:   RE: Which intrusion detection to use?
Message-ID:  <000001c19d17$ec59c7c0$40c801ca@warhawk>
In-Reply-To: <7052044C7D7AD511A20200508B5A9C58516AF7@MAGRAT>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help


> -----Original Message-----
> From: Lee Brotherston [mailto:lee.brotherston@uk.easynet.net]
> Sent: Monday, January 14, 2002 8:30 PM
> To: 'Haikal Saadh'; 'Krzysztof Zaraska'; freebsd-security@freebsd.org
> Subject: RE: Which intrusion detection to use?
>
>
>
> | What I'd like to someone to clarify for me is:
> | Is snort actually seeing incoming packets on my outside
> interface, and
> | I've been really lucky so far
> | 		OR
> | Is snort not hearing anything on my outside interface? (tun0)
>
> Have you tried waiting until the dialup connection is
> established then running snort with:
>
> -i tun0
>
> This specifies which interface to listen on.  You will of
> course not see any traffic on your local lan anymore, as it
> will not be sniffing the interface connected to your
> hub/switch.  It should however pickup the inbound traffic and
> any local traffic that goes out over the interface.
>
> If you want to get paranoid run snort on all interfaces and
> compare the results :)
>
> Normally you need to run an instance per interface, unless
> you're using a linux 2.1.x/2.2.x kernel.  If you are you
> might want to see http://www.snort.org/docs/faq.html#3.4
>

I suspected that, as a lot of the docco I've read point to people who do
indeed have two instances of snort running. I was, however misled by
being able to set HOMENET to any in snort.conf. I think I'll add an
entry in ppp.linkup to start snort when my modem dials out.

Thanks for setting me straight on this matter.



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?000001c19d17$ec59c7c0$40c801ca>