Re: [Snort-users] snort on a worksation (fc1) <-- router <--

At 04:52 PM 5/11/2004, steph march wrote:
>I would like to monitor for internet activity
>and not the internal activity, but I'm having
>trouble understanding how to do that with a router.
>(and for sure, activity on the workstation with
>snort, which is, let say, 192.168.1.3)
>
>So it will look like this :
>var HOME_NET [192.168.1.0/24]
>
>but what happen if 192.168.1.1 is the router ?

What about it? Do you honestly expect packets to be addressed to
192.168.1.1 (other than arps)?

You won't be able to see any internet traffic addressed directly to the
router, but that would be impossible anyway. Internet traffic to the router
is going to be addressed to the outside interface address, not the inside
address, and you'll only be able to see that traffic by tapping inbetween
the cablemodem and the router.



>and what about the workstation with snort (192.168.1.3) ?

So? Do you want to monitor internet traffic being a

It sounds like you want the following as your HOME_NET and EXTERNAL_NET:

var HOME_NET [192.168.1.0/24]
var EXTERNAL_NET !$HOME_NET


Also be aware if you are using any ethernet switches, or a switch built
into the router, snort will only see traffic relating to the switch port
snort is connected to.




-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg...rom=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users