[Snort-users] one IP

JP Vossen vossenjp at ...8683...
Thu Feb 5 21:03:02 EST 2004


> Date: Wed, 4 Feb 2004 13:49:39 +0100
> From: Keming <kemweb at ...11142...>
> Reply-To: Keming <kemweb at ...11142...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] one IP
>
> Hi,
>
> I´m trying to monitor only one IP as destination of the subnet but
>
> snort.conf -> var HOME_NET 1.2.3.4/32
> and/or
> snort.conf -> var HOME_NET 1.2.3.4
>
> seems to obsevere and alert all in this subnet (as destinaton) ?

As someone else pointed out, only some rules use HOME_NET and/or EXTERNAL_NET.
I'm not quite sure what you are really trying to do, but perhaps a BPF
(Berkeley Packet Filter) might help?

Google "berkeley packet filter" (with the quotes) for more info, but starting
snort like this should limit Snort to seeing ONLY packets to or from
1.2.3.4/32:
	snort -c /path/to/snort.conf {other snort options} host 1.2.3.4/32

If 1.2.3.4/32 is the host on which Snort lives, the same may be achived
(usually accidentally :) by using a switch.  If Snort is sniffing from
elsewhere and you just want that single host, the BPF above should do the
trick.

HTH,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?





More information about the Snort-users mailing list