Snort mailing list archives
RE: Snort with DHCP
From: Erek Adams <erek () snort org>
Date: Fri, 2 May 2003 17:58:45 -0400 (EDT)
On Fri, 2 May 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:
Thanks Erek. Yes my listening interface is eth0. My intention is to configure snort to see the traffic only on my NIC. So by keeping "var HOME_NET $eth0-ADDRESS" in snort.conf, will it meet my requirement?
As long as you made it "$eth0_ADDRESS". ;-) (see the bottom of the message for a explanation of HOME_NET.]
What is the difference between running snort in promiscuous mode and not in promiscuous mode?
Promisc mode will listen to "everything" on the wire (ethernet). Granted, you may not have 'everything' sent to you, but promisc mode grabs every packet. On a switch, you only see traffic destined for you, so promisc mode may/may not be of use to you. Some OS's have issues with promisc mode, which is why the flag exists. There are more details, but I won't bore you with them--Unless you ask. ;-) HOME_NET defines the 'area' or IP space that you want to watch. If you setup a burglar alarm in your house, and wanted to watch the kitchen and the bedroom, then your HOME_NET would consist of 'kitchen, the_bedroom'. Keep in mind that we're talking in terms of IP addresses, and that those IP's can relate to a HUGE netblock (/8 anyone? :). Think of it as HOME_NET == 'stuff I want to make sure is safe.". Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- Re: Snort with DHCP Erek Adams (May 02)
- Re: Snort with DHCP David Alonso De La Vega Tapage (May 02)
- <Possible follow-ups>
- RE: Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- RE: Snort with DHCP Erek Adams (May 02)
- RE: Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- RE: Snort with DHCP Erek Adams (May 02)
- RE: Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- RE: Snort with DHCP Erek Adams (May 03)
- Re: Snort with DHCP Erek Adams (May 02)