Date: Mon, 14 Jan 2002 21:24:09 +0500 From: "Haikal Saadh" <wyldephyre2@yahoo.com> To: "'Lee Brotherston'" <lee.brotherston@uk.easynet.net>, "'Krzysztof Zaraska'" <kzaraska@student.uci.agh.edu.pl>, <freebsd-security@freebsd.org> Subject: RE: Which intrusion detection to use? Message-ID: <000001c19d17$ec59c7c0$40c801ca@warhawk> In-Reply-To: <7052044C7D7AD511A20200508B5A9C58516AF7@MAGRAT>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Lee Brotherston [mailto:lee.brotherston@uk.easynet.net] > Sent: Monday, January 14, 2002 8:30 PM > To: 'Haikal Saadh'; 'Krzysztof Zaraska'; freebsd-security@freebsd.org > Subject: RE: Which intrusion detection to use? > > > > | What I'd like to someone to clarify for me is: > | Is snort actually seeing incoming packets on my outside > interface, and > | I've been really lucky so far > | OR > | Is snort not hearing anything on my outside interface? (tun0) > > Have you tried waiting until the dialup connection is > established then running snort with: > > -i tun0 > > This specifies which interface to listen on. You will of > course not see any traffic on your local lan anymore, as it > will not be sniffing the interface connected to your > hub/switch. It should however pickup the inbound traffic and > any local traffic that goes out over the interface. > > If you want to get paranoid run snort on all interfaces and > compare the results :) > > Normally you need to run an instance per interface, unless > you're using a linux 2.1.x/2.2.x kernel. If you are you > might want to see http://www.snort.org/docs/faq.html#3.4 > I suspected that, as a lot of the docco I've read point to people who do indeed have two instances of snort running. I was, however misled by being able to set HOMENET to any in snort.conf. I think I'll add an entry in ppp.linkup to start snort when my modem dials out. Thanks for setting me straight on this matter. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000001c19d17$ec59c7c0$40c801ca>