Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ignoring an interface

From: Erek Adams <erek () theadamsfamily net>
Date: Mon, 12 Aug 2002 17:49:04 -0700 (PDT)
On Mon, 12 Aug 2002, Paul Greene wrote:


How do you ignore an interface with snort?


errr....  Not really any need to--In my world that is. :)


i.e. I have a working stealth IDS with two layer 2 interfaces monitoring
all the traffic flowing between these two interfaces; this seems to be
working fine.

However, I want to add a third interface that'll connect to an isolated
network for administrative purposes; no one can get to that network unless
they are physically inside my house (if that happens, I've got bigger
things to worry about!)

How would I ignore that 3rd interface, which should never have any
interesting traffic running on it to worry about?


Under normal conditions, snort won't look at any interface except the 'first
one'.  If you are using snort with "-i any", then this doesn't hold
true.  Not to mention that "-i any" only works on newer kernels, sorry--I
don't have the number ATM.  Check the FAQ, it's there.

One thing that you might consider is a BPF filter to ignore the "net" that you
need to.

        snort <options> "not net <new_interface_net>"

You could also use a pass rule, and the -o parameter.

        snort -o <options>

and in the rules file:

        pass <ignore_net>/<CIDR notation> -> $HOME_NET ...

For more info on ignoring things, have a look at:

        http://www.theadamsfamily.net/~erek/snort/ignore.txt

Hope this helps!  Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: