[Snort-users] Can snort be used for single host Intrusion Detection?(A newbie Question)
HerbM at ...9629...
Tue Jul 8 13:16:25 EDT 2003
> >>I understand that snort is more of a Netword based
> >>IDS, but lets assume that i'm in a sad case where I
> >>can't even trust my neighbours in the same network.
> >>what other configuration needs to be done?
[I don't find the particularly 'sad' or odd even, as I
am working to improve security on a "dedicated rental
server" sitting at an ISP in another state. Clearly I
don't even KNOW my neighbors, much less trust them <grin>]
> One other thing that should be considered when running Snort to only
> protect a single host is to use the '-p' command line switch to disable
> promiscuous mode sniffing. Doing so will cause Snort to only see those
> packets addressed to the interface it is running on.
I think this will help me too, with the question I
was about to ask, i.e., "Does WinPCap and therefore
Snort 'see' packets DROPPED by IPSec filters?"
Obviously, in promiscuous mode it must see items not
even To/From the NIC -- duh.
I have been adding IPSec filters but cannot convince
myself they are effective since I still see the Snort
Alerts for this presumably blocked traffic.
Any thoughts on IPSec and what Snort (WinPCap) sees?
(I am now using -p switch.)
HerbM at ...9629... http://LearnQuick.Com
More information about the Snort-users