Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort will not detect anything on stealth

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 19 Jul 2004 12:43:42 -0400
At 09:53 AM 7/19/2004, Rhugga wrote:
My snort box is on an internal address, 10.250.200.xx (there are no external routable IP addresses NATed to the machine) This is interface eth0, it has a copper gig connection directly to a port in a black diamond switch. (The NIC is a SysKonnect)
On the same box I ran a cable from the onboard 100mb intel NIC to the same hub that contains only our border router and our two firewalls. (the firewalls are in a redundant pair) The connection is full duplex 100 mb. (same with the router and firewalls) This is interface eth1.
Um.. Clearly there's a detail omitted above. You can't have a full-duplex connection to a Hub. 

Is it a switch? Is it set as a span port?
If it's a switch without a span port, you're hosed. Connect eth1 to something else that's appropriate for sniffing, like a HUB, a TAP, or a switch with a span port.
switches by default only forward packets to ports that need them, and thus inherently defeat the promiscous sniffing behaviors of snort, as well as any other promisc ethernet tool.
I _only_ want to monitor traffic on eth1, I don't care anything about eth0 for this particuliar IDS. (I have others for internal networks) I don't want eth1 to have an IP address nor do I want to use any static arp entries anywhere. 

To do this, how what would a define HOME_NET and the other vars too?
First, think about the traffic that's going to go by snort's sniffing interface.
HOME_NET is basically "what set of IP addresses do you wish to watch to see if they are the target of an attack". This is why when you set eth1 to a bogus address and then used it as a HOME_NET you never got an alerts.. No attacks were ever seen going to the bogus address, and everything else was ignored. 

Common choices for HOME_NET are:
all the IP addresses belonging to boxes you control that the sensor will see traffic for any (results in more noise, but if attacks are launched from your network to the rest of the world, you'll see them)
EXTERNAL_NET is basically "what set of IP addresses do you wish to consider possible sources of attack". 

Common choices of EXTERNAL_NET are:
        any
!$HOME_NET (causes apparent attacks from your network machines to be ignored, even if to another HOME_NET machine) 





-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: