[Snort-users] ignoring an interface

Erek Adams erek at ...577...
Mon Aug 12 17:50:02 EDT 2002


On Mon, 12 Aug 2002, Paul Greene wrote:

> How do you ignore an interface with snort?

errr....  Not really any need to--In my world that is. :)

> i.e. I have a working stealth IDS with two layer 2 interfaces monitoring
> all the traffic flowing between these two interfaces; this seems to be
> working fine.
>
> However, I want to add a third interface that'll connect to an isolated
> network for administrative purposes; no one can get to that network unless
> they are physically inside my house (if that happens, I've got bigger
> things to worry about!)
>
> How would I ignore that 3rd interface, which should never have any
> interesting traffic running on it to worry about?

Under normal conditions, snort won't look at any interface except the 'first
one'.  If you are using snort with "-i any", then this doesn't hold
true.  Not to mention that "-i any" only works on newer kernels, sorry--I
don't have the number ATM.  Check the FAQ, it's there.

One thing that you might consider is a BPF filter to ignore the "net" that you
need to.

	snort <options> "not net <new_interface_net>"

You could also use a pass rule, and the -o parameter.

	snort -o <options>

and in the rules file:

	pass <ignore_net>/<CIDR notation> -> $HOME_NET ...

For more info on ignoring things, have a look at:

	http://www.theadamsfamily.net/~erek/snort/ignore.txt

Hope this helps!  Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list