Snort mailing list archives

Re: Can snort be used for single host Intrusion Detection?(A newbie Question)

From: Louis Lam <lshoujun () yahoo com>
Date: Mon, 7 Jul 2003 03:28:04 +0100 (BST)

hi,

Ok, ive managed to get it to work by using the -p,
making snort work in non-promiscuous  mode.
Of course along with that, ive set the
$HOME_NET=IP-of-machine. Initially I had $EXTERNAL_NET
set to !HOME_NET, but it still works with the default
"any"

Thank you all for your time. I really appreciate it.



 --- "Andrew R. Baker" <andrewb () snort org> wrote: >
Erek Adams wrote:

On Thu, 3 Jul 2003, [iso-8859-1] Louis Lam wrote:

Okay, thanks, I see what you mean. I tried that

too

but still manage to pick up attack traffic to

another

host. Here is the scenario:

Suppose the host that has snort installed is
192.168.1.10, and i set my HOME_NET to
192.168.1.10/32.

Then i tried to use another machine 192.168.1.20

to

nmap another machine 192.168.1.30, the snort on
192.168.1.10 still can pick up the traffic and
generate alerts.

I understand that snort is more of a Netword based
IDS, but lets assume that i'm in a sad case where

can't even trust my neighbours in the same

network.

what other configuration needs to be done?



Honestly it sounds like a misconfig issue.  Once

you make the change in

snort.conf, are you restarting Snort?  If you're

not, you need to.  What

is your EXTERNAL_NET set to?  If it's still at

'any' change it to

'!$HOME_NET'.


One other thing that should be considered when
running Snort to only 
protect a single host is to use the '-p' command
line switch to disable 
promiscuous mode sniffing.  Doing so will cause
Snort to only see those 
packets addressed to the interface it is running on.

-A


=====
Warmest Regards,
Louis Lam

________________________________________________________________________
Want to chat instantly with your online friends?  Get the FREE Yahoo!
Messenger http://uk.messenger.yahoo.com/


-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Can snort be used for single host Intrusion Detection?(A newbie Question) Louis Lam (Jul 02)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) David Alonso De La Vega Tapage (Jul 02)
  - rules for P2P programs? Julio E. Gonzalez P. (Jul 02)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Erek Adams (Jul 02)
  - Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Louis Lam (Jul 03)
    - Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Erek Adams (Jul 03)
    - Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Andrew R. Baker (Jul 06)
    - Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Louis Lam (Jul 08)
    - RE: Can snort be used for single host Intrusion Detection?(A newbie Question) Herb Martin (Jul 08)
- AW: Can snort be used for single host Intrusion Detection?(A newbie Question) Sean Wheeler (Jul 04)