[Snort-users] ignoring an interface
erek at ...577...
Mon Aug 12 17:50:02 EDT 2002
On Mon, 12 Aug 2002, Paul Greene wrote:
> How do you ignore an interface with snort?
errr.... Not really any need to--In my world that is. :)
> i.e. I have a working stealth IDS with two layer 2 interfaces monitoring
> all the traffic flowing between these two interfaces; this seems to be
> working fine.
> However, I want to add a third interface that'll connect to an isolated
> network for administrative purposes; no one can get to that network unless
> they are physically inside my house (if that happens, I've got bigger
> things to worry about!)
> How would I ignore that 3rd interface, which should never have any
> interesting traffic running on it to worry about?
Under normal conditions, snort won't look at any interface except the 'first
one'. If you are using snort with "-i any", then this doesn't hold
true. Not to mention that "-i any" only works on newer kernels, sorry--I
don't have the number ATM. Check the FAQ, it's there.
One thing that you might consider is a BPF filter to ignore the "net" that you
snort <options> "not net <new_interface_net>"
You could also use a pass rule, and the -o parameter.
snort -o <options>
and in the rules file:
pass <ignore_net>/<CIDR notation> -> $HOME_NET ...
For more info on ignoring things, have a look at:
Hope this helps! Cheers!
More information about the Snort-users