Snort mailing list archives
RE: Can snort be used for single host Intrusion Detection?(A newbie Question)
From: "Herb Martin" <HerbM () LearnQuick Com>
Date: Sun, 6 Jul 2003 13:19:00 -0500
I understand that snort is more of a Netword based IDS, but lets assume that i'm in a sad case where I can't even trust my neighbours in the same network. what other configuration needs to be done?
[I don't find the particularly 'sad' or odd even, as I am working to improve security on a "dedicated rental server" sitting at an ISP in another state. Clearly I don't even KNOW my neighbors, much less trust them <grin>]
One other thing that should be considered when running Snort to only protect a single host is to use the '-p' command line switch to disable promiscuous mode sniffing. Doing so will cause Snort to only see those packets addressed to the interface it is running on.
I think this will help me too, with the question I was about to ask, i.e., "Does WinPCap and therefore Snort 'see' packets DROPPED by IPSec filters?" Obviously, in promiscuous mode it must see items not even To/From the NIC -- duh. I have been adding IPSec filters but cannot convince myself they are effective since I still see the Snort Alerts for this presumably blocked traffic. Any thoughts on IPSec and what Snort (WinPCap) sees? (I am now using -p switch.) Herb Martin HerbM () LearnQuick Com http://LearnQuick.Com ------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can snort be used for single host Intrusion Detection?(A newbie Question) Louis Lam (Jul 02)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) David Alonso De La Vega Tapage (Jul 02)
- rules for P2P programs? Julio E. Gonzalez P. (Jul 02)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Erek Adams (Jul 02)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Louis Lam (Jul 03)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Erek Adams (Jul 03)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Andrew R. Baker (Jul 06)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Louis Lam (Jul 08)
- RE: Can snort be used for single host Intrusion Detection?(A newbie Question) Herb Martin (Jul 08)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) Louis Lam (Jul 03)
- Re: Can snort be used for single host Intrusion Detection?(A newbie Question) David Alonso De La Vega Tapage (Jul 02)