[Snort-users] Can snort be used for single host Intrusion Detection?(A newbie Question)

Erek Adams erek at ...950...
Thu Jul 3 13:17:14 EDT 2003

On Thu, 3 Jul 2003, [iso-8859-1] Louis Lam wrote:

> Okay, thanks, I see what you mean. I tried that too
> but still manage to pick up attack traffic to another
> host. Here is the scenario:
> Suppose the host that has snort installed is
>, and i set my HOME_NET to
> Then i tried to use another machine to
> nmap another machine, the snort on
> still can pick up the traffic and
> generate alerts.
> I understand that snort is more of a Netword based
> IDS, but lets assume that i'm in a sad case where I
> can't even trust my neighbours in the same network.
> what other configuration needs to be done?

Honestly it sounds like a misconfig issue.  Once you make the change in
snort.conf, are you restarting Snort?  If you're not, you need to.  What
is your EXTERNAL_NET set to?  If it's still at 'any' change it to


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list