[Snort-users] Can snort be used for single host Intrusion Detection?(A newbie Question)

Louis Lam lshoujun at ...131...
Tue Jul 8 13:16:30 EDT 2003


Ok, ive managed to get it to work by using the -p,
making snort work in non-promiscuous  mode.
Of course along with that, ive set the
$HOME_NET=IP-of-machine. Initially I had $EXTERNAL_NET
set to !HOME_NET, but it still works with the default

Thank you all for your time. I really appreciate it.

 --- "Andrew R. Baker" <andrewb at ...950...> wrote: >
Erek Adams wrote:
> > On Thu, 3 Jul 2003, [iso-8859-1] Louis Lam wrote:
> > 
> > 
> >>Okay, thanks, I see what you mean. I tried that
> too
> >>but still manage to pick up attack traffic to
> another
> >>host. Here is the scenario:
> >>
> >>Suppose the host that has snort installed is
> >>, and i set my HOME_NET to
> >>
> >>
> >>Then i tried to use another machine
> to
> >>nmap another machine, the snort on
> >> still can pick up the traffic and
> >>generate alerts.
> >>
> >>I understand that snort is more of a Netword based
> >>IDS, but lets assume that i'm in a sad case where
> I
> >>can't even trust my neighbours in the same
> network.
> >>what other configuration needs to be done?
> > 
> > 
> > Honestly it sounds like a misconfig issue.  Once
> you make the change in
> > snort.conf, are you restarting Snort?  If you're
> not, you need to.  What
> > is your EXTERNAL_NET set to?  If it's still at
> 'any' change it to
> > '!$HOME_NET'.
> One other thing that should be considered when
> running Snort to only 
> protect a single host is to use the '-p' command
> line switch to disable 
> promiscuous mode sniffing.  Doing so will cause
> Snort to only see those 
> packets addressed to the interface it is running on.
> -A

Warmest Regards,
Louis Lam

Want to chat instantly with your online friends?  Get the FREE Yahoo!
Messenger http://uk.messenger.yahoo.com/

More information about the Snort-users mailing list