[Snort-users] Can snort be used for single host Intrusion Detection?(A newbie Question)

Herb Martin HerbM at ...9629...
Tue Jul 8 13:16:25 EDT 2003


> >>I understand that snort is more of a Netword based
> >>IDS, but lets assume that i'm in a sad case where I
> >>can't even trust my neighbours in the same network.
> >>what other configuration needs to be done?
> >

[I don't find the particularly 'sad' or odd even, as I
am working to improve security on a "dedicated rental
server" sitting at an ISP in another state.  Clearly I
don't even KNOW my neighbors, much less trust them <grin>]

> One other thing that should be considered when running Snort to only
> protect a single host is to use the '-p' command line switch to disable
> promiscuous mode sniffing.  Doing so will cause Snort to only see those
> packets addressed to the interface it is running on.

I think this will help me too, with the question I
was about to ask, i.e.,  "Does WinPCap and therefore
Snort 'see' packets DROPPED by IPSec filters?"

Obviously, in promiscuous mode it must see items not
even To/From the NIC -- duh.

I have been adding IPSec filters but cannot convince
myself they are effective since I still see the Snort
Alerts for this presumably blocked traffic.

Any thoughts on IPSec and what Snort (WinPCap) sees?
(I am now using -p switch.)

Herb Martin
HerbM at ...9629... http://LearnQuick.Com







More information about the Snort-users mailing list