[Snort-users] Snort with DHCP

Sadanapalli, Pradeep Kumar (MED, TCS) Pradeep.Sadanapalli at ...8430...
Fri May 2 15:15:22 EDT 2003

Thanks Erek for your nice explaination. So just to confirm ,if I add the
below lines

"var HOME_NET $eth0_ADDRESS" in snort.conf, along with other
configuration lines and

"/usr/local/bin/snort -i eth0 -l /var/log/snort/ -d -b -c
/etc/snort/snort.cond -D -p "

will meet my requirements that
"running snort to watch the network traffic destined only to my machine
and also taking care of the changing IP address 
in DHCP scenario"

If I am wrong somewhere , please correct me.


-----Original Message-----
From: Erek Adams [mailto:erek at ...950...]
Sent: Friday, May 02, 2003 4:59 PM
To: Sadanapalli, Pradeep Kumar (MED, TCS)
Cc: 'David Alonso De La Vega Tapage'; Erek Adams;
snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort with DHCP

On Fri, 2 May 2003, Sadanapalli, Pradeep Kumar (MED, TCS) wrote:

> Thanks Erek. Yes my listening interface is eth0. My intention is to
> configure snort to see the traffic only on my NIC.
> So by keeping "var HOME_NET $eth0-ADDRESS" in snort.conf, will it meet
> my requirement?

As long as you made it "$eth0_ADDRESS".  ;-)  (see the bottom of the
message for a explanation of HOME_NET.]

> What is the difference between running snort in promiscuous mode and
> in promiscuous mode?

Promisc mode will listen to "everything" on the wire (ethernet).
Granted, you may not have 'everything' sent to you, but promisc mode
every packet.  On a switch, you only see traffic destined for you, so
promisc mode may/may not be of use to you.  Some OS's have issues with
promisc mode, which is why the flag exists.  There are more details, but
won't bore you with them--Unless you ask.  ;-)

HOME_NET defines the 'area' or IP space that you want to watch.  If you
setup a burglar alarm in your house, and wanted to watch the kitchen and
the bedroom, then your HOME_NET would consist of 'kitchen, the_bedroom'.
Keep in mind that we're talking in terms of IP addresses, and that those
IP's can relate to a HUGE netblock (/8 anyone? :).  Think of it as
HOME_NET == 'stuff I want to make sure is safe.".

Hope that helps!

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list