Snort mailing list archives
Re: Can snort be used for single host Intrusion Detection?(A newbie Question)
From: Louis Lam <lshoujun () yahoo com>
Date: Mon, 7 Jul 2003 03:28:04 +0100 (BST)
hi, Ok, ive managed to get it to work by using the -p, making snort work in non-promiscuous mode. Of course along with that, ive set the $HOME_NET=IP-of-machine. Initially I had $EXTERNAL_NET set to !HOME_NET, but it still works with the default "any" Thank you all for your time. I really appreciate it. --- "Andrew R. Baker" <andrewb () snort org> wrote: > Erek Adams wrote:
On Thu, 3 Jul 2003, [iso-8859-1] Louis Lam wrote:Okay, thanks, I see what you mean. I tried thattoobut still manage to pick up attack traffic toanotherhost. Here is the scenario: Suppose the host that has snort installed is 192.168.1.10, and i set my HOME_NET to 192.168.1.10/32. Then i tried to use another machine 192.168.1.20tonmap another machine 192.168.1.30, the snort on 192.168.1.10 still can pick up the traffic and generate alerts. I understand that snort is more of a Netword based IDS, but lets assume that i'm in a sad case whereIcan't even trust my neighbours in the samenetwork.what other configuration needs to be done?Honestly it sounds like a misconfig issue. Onceyou make the change insnort.conf, are you restarting Snort? If you'renot, you need to. Whatis your EXTERNAL_NET set to? If it's still at'any' change it to'!$HOME_NET'.One other thing that should be considered when running Snort to only protect a single host is to use the '-p' command line switch to disable promiscuous mode sniffing. Doing so will cause Snort to only see those packets addressed to the interface it is running on. -A
===== Warmest Regards, Louis Lam ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://uk.messenger.yahoo.com/ ------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can snort be used for single host Intrusion Detection?(A newbie Question) Louis Lam (Jul 02)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) David Alonso De La Vega Tapage (Jul 02)
- rules for P2P programs? Julio E. Gonzalez P. (Jul 02)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Erek Adams (Jul 02)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Louis Lam (Jul 03)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Erek Adams (Jul 03)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Andrew R. Baker (Jul 06)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Louis Lam (Jul 08)
- RE: Can snort be used for single host Intrusion Detection?(A newbie Question) Herb Martin (Jul 08)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Louis Lam (Jul 03)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) David Alonso De La Vega Tapage (Jul 02)