From owner-freebsd-security Mon Jan 14 8:24:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp018.mail.yahoo.com (smtp018.mail.yahoo.com [216.136.174.115]) by hub.freebsd.org (Postfix) with SMTP id B5A6D37B404 for ; Mon, 14 Jan 2002 08:24:27 -0800 (PST) Received: from unknown (HELO warhawk) (202.1.200.64) by smtp.mail.vip.sc5.yahoo.com with SMTP; 14 Jan 2002 16:24:24 -0000 From: "Haikal Saadh" To: "'Lee Brotherston'" , "'Krzysztof Zaraska'" , Subject: RE: Which intrusion detection to use? Date: Mon, 14 Jan 2002 21:24:09 +0500 Message-ID: <000001c19d17$ec59c7c0$40c801ca@warhawk> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-reply-to: <7052044C7D7AD511A20200508B5A9C58516AF7@MAGRAT> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: Lee Brotherston [mailto:lee.brotherston@uk.easynet.net] > Sent: Monday, January 14, 2002 8:30 PM > To: 'Haikal Saadh'; 'Krzysztof Zaraska'; freebsd-security@freebsd.org > Subject: RE: Which intrusion detection to use? > > > > | What I'd like to someone to clarify for me is: > | Is snort actually seeing incoming packets on my outside > interface, and > | I've been really lucky so far > | OR > | Is snort not hearing anything on my outside interface? (tun0) > > Have you tried waiting until the dialup connection is > established then running snort with: > > -i tun0 > > This specifies which interface to listen on. You will of > course not see any traffic on your local lan anymore, as it > will not be sniffing the interface connected to your > hub/switch. It should however pickup the inbound traffic and > any local traffic that goes out over the interface. > > If you want to get paranoid run snort on all interfaces and > compare the results :) > > Normally you need to run an instance per interface, unless > you're using a linux 2.1.x/2.2.x kernel. If you are you > might want to see http://www.snort.org/docs/faq.html#3.4 > I suspected that, as a lot of the docco I've read point to people who do indeed have two instances of snort running. I was, however misled by being able to set HOMENET to any in snort.conf. I think I'll add an entry in ppp.linkup to start snort when my modem dials out. Thanks for setting me straight on this matter. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message