From owner-freebsd-security  Mon Jan 14  7:30:30 2002
Delivered-To: freebsd-security@freebsd.org
Received: from kumquat.mail.uk.easynet.net (kumquat.mail.uk.easynet.net [195.40.1.42])
	by hub.freebsd.org (Postfix) with ESMTP id 808E637B419
	for <freebsd-security@freebsd.org>; Mon, 14 Jan 2002 07:30:27 -0800 (PST)
Received: from magrat.office.easynet.net ([195.40.3.130])
	by kumquat.mail.uk.easynet.net with esmtp (Exim 3.33 #1)
	id 16Q93j-0002hg-00; Mon, 14 Jan 2002 15:30:03 +0000
Received: by MAGRAT with Internet Mail Service (5.5.2653.19)
	id <CW227FHH>; Mon, 14 Jan 2002 15:30:03 -0000
Message-ID: <7052044C7D7AD511A20200508B5A9C58516AF7@MAGRAT>
From: Lee Brotherston <lee.brotherston@uk.easynet.net>
To: 'Haikal Saadh' <wyldephyre2@yahoo.com>,
	'Krzysztof Zaraska' <kzaraska@student.uci.agh.edu.pl>,
	freebsd-security@freebsd.org
Subject: RE: Which intrusion detection to use?
Date: Mon, 14 Jan 2002 15:29:59 -0000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
	charset="iso-8859-1"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


| What I'd like to someone to clarify for me is:
| Is snort actually seeing incoming packets on my outside interface, and
| I've been really lucky so far
| 		OR
| Is snort not hearing anything on my outside interface? (tun0)

Have you tried waiting until the dialup connection is established then
running snort with: 

-i tun0

This specifies which interface to listen on.  You will of course not see any
traffic on your local lan anymore, as it will not be sniffing the interface
connected to your hub/switch.  It should however pickup the inbound traffic
and any local traffic that goes out over the interface.

If you want to get paranoid run snort on all interfaces and compare the
results :)

Normally you need to run an instance per interface, unless you're using a
linux 2.1.x/2.2.x kernel.  If you are you might want to see
http://www.snort.org/docs/faq.html#3.4

Thanks

  Lee

-- 
Lee Brotherston  -  IP Security Manager, Easynet Ltd
http://www.easynet.net/         Phone: +44 20 7900 4444

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message