[Snort-users] Can snort be used for single host Intrusion Detection?(A newbie Question)
lshoujun at ...131...
Thu Jul 3 06:00:51 EDT 2003
Okay, thanks, I see what you mean. I tried that too
but still manage to pick up attack traffic to another
host. Here is the scenario:
Suppose the host that has snort installed is
192.168.1.10, and i set my HOME_NET to
Then i tried to use another machine 192.168.1.20 to
nmap another machine 192.168.1.30, the snort on
192.168.1.10 still can pick up the traffic and
I understand that snort is more of a Netword based
IDS, but lets assume that i'm in a sad case where I
can't even trust my neighbours in the same network.
what other configuration needs to be done?
--- Erek Adams <erek at ...950...> wrote: > On Wed, 2 Jul
2003, [iso-8859-1] Louis Lam wrote:
> > The snort configuration file allows users to
> specify a
> > range of network addresses that it detects
> > on. I understand that it is possible to ignore
> > coming from a particular host.
> > Is it possible to configure snort such that it
> > checks traffic coming into a particular host?
> HOME_NET is best described as "the network or range
> of IP's that you want
> to protect." Simply define your HOME_NET as a
> single host:
> var HOME_NET 10.10.10.1/32
> Erek Adams
> "When things get weird, the weird turn pro."
> H.S. Thompson
Want to chat instantly with your online friends? Get the FREE Yahoo!
More information about the Snort-users