Snort mailing list archives
Re: Snort will not detect anything on stealth interface unless I assign IP
From: Rhugga <snort-list () sandiego420 com>
Date: Mon, 19 Jul 2004 06:53:52 -0700
Matt Kettler wrote:
At 03:10 PM 7/17/2004, Rhugga wrote:I have attached 1 interface of from ISD box a hub containing our border router and our 2 firewalls. I bring the interface up with no IP address and snort will not start due to $eth1_ADDRESS being null.What are you using $eth1_address for? your HOME_NET?if you set the eth1 interface to an invalid dummy address, and then try to use that dummy address for HOME_NET, of course no rules will match, because none of the traffic on your wire is in HOME_NET.Edit your snort.conf to not use the interface address macros when doing stealth interfaces.
I guess I am confused about how to configure HOME_NET, etc... Here is what I am trying to do:My snort box is on an internal address, 10.250.200.xx (there are no external routable IP addresses NATed to the machine) This is interface eth0, it has a copper gig connection directly to a port in a black diamond switch. (The NIC is a SysKonnect)
On the same box I ran a cable from the onboard 100mb intel NIC to the same hub that contains only our border router and our two firewalls. (the firewalls are in a redundant pair) The connection is full duplex 100 mb. (same with the router and firewalls) This is interface eth1.
I _only_ want to monitor traffic on eth1, I don't care anything about eth0 for this particuliar IDS. (I have others for internal networks) I don't want eth1 to have an IP address nor do I want to use any static arp entries anywhere.
To do this, how what would a define HOME_NET and the other vars too? Thx, Rhugga ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort will not detect anything on stealth interface unless I assign IP Rhugga (Jul 17)
- Re: Snort will not detect anything on stealth interface unless I assign IP Paul Schmehl (Jul 17)
- Re: Snort will not detect anything on stealth interface unless I assign IP Matt Kettler (Jul 17)
- Re: Snort will not detect anything on stealth interface unless I assign IP Rhugga (Jul 19)
- Re: Snort will not detect anything on stealth interface unless I assign IP Paul Schmehl (Jul 19)
- Re: Snort will not detect anything on stealth Matt Kettler (Jul 19)
- Re: Snort will not detect anything on stealth interface unless I assign IP Rhugga (Jul 19)
- Re: Snort will not detect anything on stealth interface unless I assign IP Jason Haar (Jul 18)
- Re: Snort will not detect anything on stealth interface unless I assign IP Rhugga (Jul 19)
- Re: Snort will not detect anything on stealth interface unless I assign IP Edin Dizdarevic (Jul 19)