Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can snort be used for single host Intrusion Detection?(A newbie Question)

From: Erek Adams <erek () snort org>
Date: Thu, 3 Jul 2003 16:16:17 -0400 (EDT)
On Thu, 3 Jul 2003, [iso-8859-1] Louis Lam wrote:


Okay, thanks, I see what you mean. I tried that too
but still manage to pick up attack traffic to another
host. Here is the scenario:

Suppose the host that has snort installed is
192.168.1.10, and i set my HOME_NET to
192.168.1.10/32.

Then i tried to use another machine 192.168.1.20 to
nmap another machine 192.168.1.30, the snort on
192.168.1.10 still can pick up the traffic and
generate alerts.

I understand that snort is more of a Netword based
IDS, but lets assume that i'm in a sad case where I
can't even trust my neighbours in the same network.
what other configuration needs to be done?


Honestly it sounds like a misconfig issue.  Once you make the change in
snort.conf, are you restarting Snort?  If you're not, you need to.  What
is your EXTERNAL_NET set to?  If it's still at 'any' change it to
'!$HOME_NET'.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: