[Snort-users] Can snort be used for single host Intrusion Detection?(A newbie Question)

Louis Lam lshoujun at ...131...
Thu Jul 3 06:00:51 EDT 2003

Okay, thanks, I see what you mean. I tried that too
but still manage to pick up attack traffic to another
host. Here is the scenario:

Suppose the host that has snort installed is, and i set my HOME_NET to

Then i tried to use another machine to
nmap another machine, the snort on still can pick up the traffic and
generate alerts. 

I understand that snort is more of a Netword based
IDS, but lets assume that i'm in a sad case where I
can't even trust my neighbours in the same network.
what other configuration needs to be done?  

--- Erek Adams <erek at ...950...> wrote: > On Wed, 2 Jul
2003, [iso-8859-1] Louis Lam wrote:
> > The snort configuration file allows users to
> specify a
> > range of network addresses that it detects
> activities
> > on. I understand that it is possible to ignore
> traffic
> > coming from a particular host.
> >
> > Is it possible to configure snort such that it
> only
> > checks traffic coming into a particular host?
> HOME_NET is best described as "the network or range
> of IP's that you want
> to protect."  Simply define your HOME_NET as a
> single host:
> 	var HOME_NET
> Cheers!
> -----
> Erek Adams
>    "When things get weird, the weird turn pro."  
> H.S. Thompson 

Warmest Regards,
Louis Lam

Want to chat instantly with your online friends?  Get the FREE Yahoo!
Messenger http://uk.messenger.yahoo.com/

More information about the Snort-users mailing list