Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 Jan 2002 21:24:09 +0500
From:      "Haikal Saadh" <>
To:        "'Lee Brotherston'" <>, "'Krzysztof Zaraska'" <>, <>
Subject:   RE: Which intrusion detection to use?
Message-ID:  <000001c19d17$ec59c7c0$40c801ca@warhawk>
In-Reply-To: <7052044C7D7AD511A20200508B5A9C58516AF7@MAGRAT>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

> -----Original Message-----
> From: Lee Brotherston []
> Sent: Monday, January 14, 2002 8:30 PM
> To: 'Haikal Saadh'; 'Krzysztof Zaraska';
> Subject: RE: Which intrusion detection to use?
> | What I'd like to someone to clarify for me is:
> | Is snort actually seeing incoming packets on my outside
> interface, and
> | I've been really lucky so far
> | 		OR
> | Is snort not hearing anything on my outside interface? (tun0)
> Have you tried waiting until the dialup connection is
> established then running snort with:
> -i tun0
> This specifies which interface to listen on.  You will of
> course not see any traffic on your local lan anymore, as it
> will not be sniffing the interface connected to your
> hub/switch.  It should however pickup the inbound traffic and
> any local traffic that goes out over the interface.
> If you want to get paranoid run snort on all interfaces and
> compare the results :)
> Normally you need to run an instance per interface, unless
> you're using a linux 2.1.x/2.2.x kernel.  If you are you
> might want to see

I suspected that, as a lot of the docco I've read point to people who do
indeed have two instances of snort running. I was, however misled by
being able to set HOMENET to any in snort.conf. I think I'll add an
entry in ppp.linkup to start snort when my modem dials out.

Thanks for setting me straight on this matter.

Do You Yahoo!?
Get your free address at

To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <$ec59c7c0$40c801ca>