Ola Pessoal da lista!
Tenho um servidor CL 7.0 o qual utiliza ADSL BrasilTelecom.....Uso a
eth0 para conectar com o MODEM ADSL e a eth1 para rede interna. Qdo o ADSL
se conecta ele levanta a interface ppp0 pela qual recebe um IP valido para
eu trafegar na internet.
Qdo eu utilizo o mascaramento (iptables ou ipchains) devo colocar
a interface a ser mascarada sempre a ppp0, pois a eth0, nao responde a isso.
Entao pensei o mesmo sobre o Snort...ele pede nos arquivos de configuracao
para eu colocar a interface a ser "escutada".. coloquei a eth0 e nada,
tentei a ppp0 e nada....em ambos nao reporta erro mas tbem..testo um ataque
(nmap remoto) ele nao reporta nada na base de dados...
Vou colocar ae os 2 arquivos de configuracao....
[root@Router /root]# cat /etc/snort/snort.conf
# $Id: snort.conf,v 1.13 2001/01/02 21:42:11 roesch Exp $
####################################################################
# This file contains a sample snort configuration. You can take the
# following steps to create your own custom configuration:
#
# 1) Set the HOME_NET variable for your network
# 2) Configure preprocessors
# 3) Configure output plugins
# 4) Customize your rule set
#
####################################################################
# Step #1: Set the HOME_NET variable:
#
# You must change the HOME_NET variable to reflect your local
# network. The variable is currently setup for an RFC 1918 address
# space.
#
# You can specify it explicitly as: var HOME_NET 10.1.1.0/24
# or use global variable $<intname>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface
# which you run snort at.
#
# You can specify lists of IP addresses by separating the IPs with commas
# like this:
#
# [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
#
#var HOME_NET $eth0_ADDRESS
var HOME_NET $eth1_ADDRESS
# Set up the external network addresses as well. A good start may be
# "any"...
var EXTERNAL_NET any
# Define the addresses of DNS servers and other hosts if you want to ignore
# portscan false alarms from them...
var DNS_SERVERS [200.180.128.68/32,200.215.1.35/32]
........
Aqui eu coloquei a interface a ser escutada ou seja a ppp0
[root@Router /root]# cat /etc/sysconfig/snort
# system wide configuration file for the snort daemon
# put here the interface you whish snort to monitor
# please note that the startup script
# will also modify /etc/snort/snort.conf to reflect this
# Note: this interface better be up before starting snort!
INTERFACE=ppp0
# set ACTIVATE to 'yes' if you want snort to be run everytime
# the INTERFACE goes up. If you really want to use snort, you
# should set this to 'yes'.
# the init script can also be used to toggle this setting
ACTIVATE=no
# setting AUTO to 'yes' will have the startup script change the
# HOME_NET variable in /etc/snort/snort.conf to the INTERFACE's
# address everytime snort is started via the init script
# i.e., it will change the line
# var HOME_NET blabla
# to
# var HOME_NET $eth0_ADDRESS
# if INTERFACE were set to eth0
# If you want more control over snort's behaviour, set this to 'no'
AUTO=no
# 'yes' will put the interface in promiscuous mode, anything
# else will disable this
PROMISC=no
# extra parameters. These are inserted at the end of snort's command
# line. Please do not repeat options already used, check the startup
# script if in doubt
EXTRA_OPTIONS=
.......
Caso alguem ja tenha utilizado o Snort em ADSL....favor algumas dicas
Ricardo Manica Pereira
Consultoria e Implementa��o de Redes
(Linux, Windows 9x, Windows 2000
Windows 2000 Server , NT Server)
55-99713795
[EMAIL PROTECTED]
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Assinantes em 04/10/2001: 2358
Mensagens recebidas desde 07/01/1999: 135320
Historico e [des]cadastramento: http://linux-br.conectiva.com.br
Assuntos administrativos e problemas com a lista:
mailto:[EMAIL PROTECTED]
