[Snort-users] Can snort be used for single host Intrusion Detection?(A newbie Question)
Andrew R. Baker
andrewb at ...950...
Sun Jul 6 08:31:13 EDT 2003
Erek Adams wrote:
> On Thu, 3 Jul 2003, [iso-8859-1] Louis Lam wrote:
>>Okay, thanks, I see what you mean. I tried that too
>>but still manage to pick up attack traffic to another
>>host. Here is the scenario:
>>Suppose the host that has snort installed is
>>192.168.1.10, and i set my HOME_NET to
>>Then i tried to use another machine 192.168.1.20 to
>>nmap another machine 192.168.1.30, the snort on
>>192.168.1.10 still can pick up the traffic and
>>I understand that snort is more of a Netword based
>>IDS, but lets assume that i'm in a sad case where I
>>can't even trust my neighbours in the same network.
>>what other configuration needs to be done?
> Honestly it sounds like a misconfig issue. Once you make the change in
> snort.conf, are you restarting Snort? If you're not, you need to. What
> is your EXTERNAL_NET set to? If it's still at 'any' change it to
One other thing that should be considered when running Snort to only
protect a single host is to use the '-p' command line switch to disable
promiscuous mode sniffing. Doing so will cause Snort to only see those
packets addressed to the interface it is running on.
More information about the Snort-users