Snort question - using with no IP
Results 1 to 8 of 8

Thread: Snort question - using with no IP

  1. #1
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487

    Question Snort question - using with no IP

    Ok got a basic networking/Snort newb question here...I'm new to Snort and know just basic Linux networking....

    I have Snort running on RedHat Linux Fedora Core 3. I want to monitor traffic (attacks) on my home Internet connection: the connection is cable modem and I only get 1 IP. I want to be able to continue having an Internet connection so my firewall needs to stay hooked up to the cable modem and have an IP -- hence the only allowed 1 IP statement. I have placed a hub in between my cable modem and firewall (of course) and have plugged the Snort box up to that hub as well (so it's outside of my firewall).

    When I try to start Snort without an IP on the interface -- just brought up interface but doesnt have anything assigned to it -- Snort doesnt start. When I assign an IP of 0.0.0.0 I see traffic (TCPDUMP) but it's just a bunch of ARPs from various IPs with a DHCP request thrown in.

    My question is: how can I set Snort up to monitor this activity without giving it an IP?

  2. #2
    Junior Member kevler's Avatar
    Join Date
    Sep 2001
    Posts
    6
    HINT - var HOME_NET any

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Why not simply put a $45 router in place of the hub? This way, you can be seen as a single IP to your ISP and you can set a static RCF1918 addy to your snort box behind the router, or, you can throw it into a DMZ between the ISP and the inside network. You have many options here. The rest of your hosts can grab a DHCP address from the router and life is wonderful in smallville.

    Don't get hung up on sniffing w/o an IP. The power is in simplicity.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    th: Thanks for the tip...I got somewhere with it but not all the way where I wanted to.

    I have one of those inexpensive NAT/routers on the Internet connection, Netgear RT114, and figured out there are 2 options with it: port forwarding or default DMZ. I tried the default DMZ and it looks like it only forwards the common ports (HTTP, FTP, SSH, SNMP, etc) because the scan I did from www.grc.com showed only ssh open (yeah I know...I'll turn it off the all IPs other than my mgmt PC) and I dont see any snort hits other than a SNMP hit. The port forwarding seems to work because I see a bunch of snort hits and TCPDUMP shows traffic...however my lil NAT device only allows forwarding ports 1-1025

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Rico... Hah.... I think I see your problem....

    The router you are using has the DMZ function, (Linksys, D-Link or similar, right?), but the DMZ function _requires_ that you give the IP address to be DMZed.... It ain't going to happen the way you want it to.

    What I do at home is that I placed a hub outside the router and multi-homed my PC, (2 NICs). I named one "Internal" and the other "External".... I'm smart... Nothing like confusing your cards and leaving your box open to the world while you play around....

    I have all protocols unbound from the External card.... It neither transmits nor receives because it doesn't understand the protocols. But Snort will still put it in promiscuous mode and it Snort's away very happily on all ports.

    Have fun... But remember it has to be a hub or a switch where you have a span port.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Indeed Tiger is right. Using the hub is the "poor man's" port spanning service. Most cheapy routers (like mine) do not offer spanning features, rather, a dmz. At home I simply monitor the DMZ where I host certain services. This is all I'm concerned with. Anything on the inside is monitored with a very special home grown solution.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Anything on the inside is monitored with a very special home grown solution
    Ahhh... The "daughter protection system".... I read your paper.... very impressive.... I like the way that the walls around the house appear solid but let the bullets right through.... very creative and effective too, I'm sure...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    I actually use the 'poor mans method' that ric-o is trying to set up. One problem I had initially is that not all hubs are hubs! I was getting arps and dhcps just like you(basically broadcast traffic). It turns out that I had about 3 different "labeled hubs' that were all switchs.

    I also run snort on a stealth interface.Snort should not have a problem if an interface is not assigned an IP address as long as the interface itself is up.
    That which does not kill me makes me stronger -- Friedrich Nietzche

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides