[Snort-users] Can snort be used for single host Intrusion Detection?(A newbie Question)

Louis Lam lshoujun at ...131...
Thu Jul 3 06:00:51 EDT 2003


Okay, thanks, I see what you mean. I tried that too
but still manage to pick up attack traffic to another
host. Here is the scenario:

Suppose the host that has snort installed is
192.168.1.10, and i set my HOME_NET to
192.168.1.10/32.

Then i tried to use another machine 192.168.1.20 to
nmap another machine 192.168.1.30, the snort on
192.168.1.10 still can pick up the traffic and
generate alerts. 

I understand that snort is more of a Netword based
IDS, but lets assume that i'm in a sad case where I
can't even trust my neighbours in the same network.
what other configuration needs to be done?  

--- Erek Adams <erek at ...950...> wrote: > On Wed, 2 Jul
2003, [iso-8859-1] Louis Lam wrote:
> 
> > The snort configuration file allows users to
> specify a
> > range of network addresses that it detects
> activities
> > on. I understand that it is possible to ignore
> traffic
> > coming from a particular host.
> >
> > Is it possible to configure snort such that it
> only
> > checks traffic coming into a particular host?
> 
> HOME_NET is best described as "the network or range
> of IP's that you want
> to protect."  Simply define your HOME_NET as a
> single host:
> 
> 	var HOME_NET 10.10.10.1/32
> 
> Cheers!
> 
> -----
> Erek Adams
> 
>    "When things get weird, the weird turn pro."  
> H.S. Thompson 

=====
Warmest Regards,
Louis Lam

________________________________________________________________________
Want to chat instantly with your online friends?  Get the FREE Yahoo!
Messenger http://uk.messenger.yahoo.com/




More information about the Snort-users mailing list