[Snort-users] Snort will not detect anything on stealth interface unless I assign IP
snort-list at ...12135...
Mon Jul 19 06:54:08 EDT 2004
Matt Kettler wrote:
> At 03:10 PM 7/17/2004, Rhugga wrote:
>> I have attached 1 interface of from ISD box a hub containing our
>> border router and our 2 firewalls. I bring the interface up with no
>> IP address and snort will not start due to $eth1_ADDRESS being null.
> What are you using $eth1_address for? your HOME_NET?
> if you set the eth1 interface to an invalid dummy address, and then
> try to use that dummy address for HOME_NET, of course no rules will
> match, because none of the traffic on your wire is in HOME_NET.
> Edit your snort.conf to not use the interface address macros when
> doing stealth interfaces.
I guess I am confused about how to configure HOME_NET, etc...
Here is what I am trying to do:
My snort box is on an internal address, 10.250.200.xx (there are no
external routable IP addresses NATed to the machine) This is interface
eth0, it has a copper gig connection directly to a port in a black
diamond switch. (The NIC is a SysKonnect)
On the same box I ran a cable from the onboard 100mb intel NIC to the
same hub that contains only our border router and our two firewalls.
(the firewalls are in a redundant pair) The connection is full duplex
100 mb. (same with the router and firewalls) This is interface eth1.
I _only_ want to monitor traffic on eth1, I don't care anything about
eth0 for this particuliar IDS. (I have others for internal networks) I
don't want eth1 to have an IP address nor do I want to use any static
arp entries anywhere.
To do this, how what would a define HOME_NET and the other vars too?
More information about the Snort-users