[Snort-users] Can snort be used for single host Intrusion Detection?(A newbie Question)
lshoujun at ...131...
Tue Jul 8 13:16:30 EDT 2003
Ok, ive managed to get it to work by using the -p,
making snort work in non-promiscuous mode.
Of course along with that, ive set the
$HOME_NET=IP-of-machine. Initially I had $EXTERNAL_NET
set to !HOME_NET, but it still works with the default
Thank you all for your time. I really appreciate it.
--- "Andrew R. Baker" <andrewb at ...950...> wrote: >
Erek Adams wrote:
> > On Thu, 3 Jul 2003, [iso-8859-1] Louis Lam wrote:
> >>Okay, thanks, I see what you mean. I tried that
> >>but still manage to pick up attack traffic to
> >>host. Here is the scenario:
> >>Suppose the host that has snort installed is
> >>192.168.1.10, and i set my HOME_NET to
> >>Then i tried to use another machine 192.168.1.20
> >>nmap another machine 192.168.1.30, the snort on
> >>192.168.1.10 still can pick up the traffic and
> >>generate alerts.
> >>I understand that snort is more of a Netword based
> >>IDS, but lets assume that i'm in a sad case where
> >>can't even trust my neighbours in the same
> >>what other configuration needs to be done?
> > Honestly it sounds like a misconfig issue. Once
> you make the change in
> > snort.conf, are you restarting Snort? If you're
> not, you need to. What
> > is your EXTERNAL_NET set to? If it's still at
> 'any' change it to
> > '!$HOME_NET'.
> One other thing that should be considered when
> running Snort to only
> protect a single host is to use the '-p' command
> line switch to disable
> promiscuous mode sniffing. Doing so will cause
> Snort to only see those
> packets addressed to the interface it is running on.
Want to chat instantly with your online friends? Get the FREE Yahoo!
More information about the Snort-users