[Snort-users] Snort will not detect anything on stealth interface unless I assign IP

Rhugga snort-list at ...12135...
Mon Jul 19 06:54:08 EDT 2004


Matt Kettler wrote:

> At 03:10 PM 7/17/2004, Rhugga wrote:
>
>> I have attached 1 interface of from ISD box a hub containing our 
>> border router and our 2 firewalls. I bring the interface up with no 
>> IP address and snort will not start due to $eth1_ADDRESS being null.
>
>
> What are you using $eth1_address for? your HOME_NET?
>
> if you set the eth1 interface to an invalid dummy address, and then 
> try to use that dummy address for HOME_NET, of course no rules will 
> match, because none of the traffic on your wire is in HOME_NET.
>
> Edit your snort.conf to not use the interface address macros when 
> doing stealth interfaces.
>
I guess I am confused about how to configure HOME_NET, etc...

Here is what I am trying to do:

My snort box is on an internal address, 10.250.200.xx (there are no 
external routable IP addresses NATed to the machine) This is interface 
eth0, it has a copper gig connection directly to a port in a black 
diamond switch. (The NIC is a SysKonnect)

On the same box I ran a cable from the onboard 100mb intel NIC to the 
same hub that contains only our border router and our two firewalls. 
(the firewalls are in a redundant pair) The connection is full duplex 
100 mb. (same with the router and firewalls) This is interface eth1.

I _only_ want to monitor traffic on eth1, I don't care anything about 
eth0  for this particuliar IDS. (I have others for internal networks) I 
don't want eth1 to have an IP address nor do I want to use any static 
arp entries anywhere.

To do this, how what would a define HOME_NET and the other vars too?

Thx,
Rhugga










More information about the Snort-users mailing list