RE: Can snort be used for single host Intrusion Detection?(A newbie Question)

["Herb Martin" <HerbM () LearnQuick Com>]

> > > I understand that snort is more of a Netword based
> > > IDS, but lets assume that i'm in a sad case where I
> > > can't even trust my neighbours in the same network.
> > > what other configuration needs to be done?

[I don't find the particularly 'sad' or odd even, as I
am working to improve security on a "dedicated rental
server" sitting at an ISP in another state.  Clearly I
don't even KNOW my neighbors, much less trust them <grin>]

> One other thing that should be considered when running Snort to only
> protect a single host is to use the '-p' command line switch to disable
> promiscuous mode sniffing.  Doing so will cause Snort to only see those
> packets addressed to the interface it is running on.

I think this will help me too, with the question I
was about to ask, i.e.,  "Does WinPCap and therefore
Snort 'see' packets DROPPED by IPSec filters?"

Obviously, in promiscuous mode it must see items not
even To/From the NIC -- duh.

I have been adding IPSec filters but cannot convince
myself they are effective since I still see the Snort
Alerts for this presumably blocked traffic.

Any thoughts on IPSec and what Snort (WinPCap) sees?
(I am now using -p switch.)

Herb Martin
HerbM () LearnQuick Com http://LearnQuick.Com





-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users