[Snort-users] Can snort be used for single host Intrusion Detection?(A newbie Question)

Andrew R. Baker andrewb at ...950...
Sun Jul 6 08:31:13 EDT 2003

Erek Adams wrote:
> On Thu, 3 Jul 2003, [iso-8859-1] Louis Lam wrote:
>>Okay, thanks, I see what you mean. I tried that too
>>but still manage to pick up attack traffic to another
>>host. Here is the scenario:
>>Suppose the host that has snort installed is
>>, and i set my HOME_NET to
>>Then i tried to use another machine to
>>nmap another machine, the snort on
>> still can pick up the traffic and
>>generate alerts.
>>I understand that snort is more of a Netword based
>>IDS, but lets assume that i'm in a sad case where I
>>can't even trust my neighbours in the same network.
>>what other configuration needs to be done?
> Honestly it sounds like a misconfig issue.  Once you make the change in
> snort.conf, are you restarting Snort?  If you're not, you need to.  What
> is your EXTERNAL_NET set to?  If it's still at 'any' change it to
> '!$HOME_NET'.

One other thing that should be considered when running Snort to only 
protect a single host is to use the '-p' command line switch to disable 
promiscuous mode sniffing.  Doing so will cause Snort to only see those 
packets addressed to the interface it is running on.


More information about the Snort-users mailing list