[Snort-users] Snort with DHCP
erek at ...950...
Fri May 2 15:04:46 EDT 2003
On Fri, 2 May 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:
> Thanks Erek. Yes my listening interface is eth0. My intention is to
> configure snort to see the traffic only on my NIC.
> So by keeping "var HOME_NET $eth0-ADDRESS" in snort.conf, will it meet
> my requirement?
As long as you made it "$eth0_ADDRESS". ;-) (see the bottom of the
message for a explanation of HOME_NET.]
> What is the difference between running snort in promiscuous mode and not
> in promiscuous mode?
Promisc mode will listen to "everything" on the wire (ethernet).
Granted, you may not have 'everything' sent to you, but promisc mode grabs
every packet. On a switch, you only see traffic destined for you, so
promisc mode may/may not be of use to you. Some OS's have issues with
promisc mode, which is why the flag exists. There are more details, but I
won't bore you with them--Unless you ask. ;-)
HOME_NET defines the 'area' or IP space that you want to watch. If you
setup a burglar alarm in your house, and wanted to watch the kitchen and
the bedroom, then your HOME_NET would consist of 'kitchen, the_bedroom'.
Keep in mind that we're talking in terms of IP addresses, and that those
IP's can relate to a HUGE netblock (/8 anyone? :). Think of it as
HOME_NET == 'stuff I want to make sure is safe.".
Hope that helps!
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users