Snort mailing list archives
RE: Snort with DHCP
From: "Sadanapalli, Pradeep Kumar (MED, TCS)" <Pradeep.Sadanapalli () med ge com>
Date: Fri, 2 May 2003 17:11:13 -0500
Thanks Erek for your nice explaination. So just to confirm ,if I add the below lines "var HOME_NET $eth0_ADDRESS" in snort.conf, along with other configuration lines and "/usr/local/bin/snort -i eth0 -l /var/log/snort/ -d -b -c /etc/snort/snort.cond -D -p " will meet my requirements that "running snort to watch the network traffic destined only to my machine and also taking care of the changing IP address in DHCP scenario" If I am wrong somewhere , please correct me. Pradeep -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Friday, May 02, 2003 4:59 PM To: Sadanapalli, Pradeep Kumar (MED, TCS) Cc: 'David Alonso De La Vega Tapage'; Erek Adams; snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort with DHCP On Fri, 2 May 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:
Thanks Erek. Yes my listening interface is eth0. My intention is to configure snort to see the traffic only on my NIC. So by keeping "var HOME_NET $eth0-ADDRESS" in snort.conf, will it meet my requirement?
As long as you made it "$eth0_ADDRESS". ;-) (see the bottom of the message for a explanation of HOME_NET.]
What is the difference between running snort in promiscuous mode and
not
in promiscuous mode?
Promisc mode will listen to "everything" on the wire (ethernet). Granted, you may not have 'everything' sent to you, but promisc mode grabs every packet. On a switch, you only see traffic destined for you, so promisc mode may/may not be of use to you. Some OS's have issues with promisc mode, which is why the flag exists. There are more details, but I won't bore you with them--Unless you ask. ;-) HOME_NET defines the 'area' or IP space that you want to watch. If you setup a burglar alarm in your house, and wanted to watch the kitchen and the bedroom, then your HOME_NET would consist of 'kitchen, the_bedroom'. Keep in mind that we're talking in terms of IP addresses, and that those IP's can relate to a HUGE netblock (/8 anyone? :). Think of it as HOME_NET == 'stuff I want to make sure is safe.". Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- Re: Snort with DHCP Erek Adams (May 02)
- Re: Snort with DHCP David Alonso De La Vega Tapage (May 02)
- <Possible follow-ups>
- RE: Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- RE: Snort with DHCP Erek Adams (May 02)
- RE: Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- RE: Snort with DHCP Erek Adams (May 02)
- RE: Snort with DHCP Sadanapalli, Pradeep Kumar (MED, TCS) (May 02)
- RE: Snort with DHCP Erek Adams (May 03)
- Re: Snort with DHCP Erek Adams (May 02)