[Snort-users] Snort will not detect anything on stealth interface unless I assign IP

Paul Schmehl pauls at ...6838...
Mon Jul 19 08:10:07 EDT 2004


--On Monday, July 19, 2004 6:53 AM -0700 Rhugga 
<snort-list at ...12135...> wrote:
>
> I guess I am confused about how to configure HOME_NET, etc...
>
It might help if you think of HOME_NET this way.  Most rules have 
"direction" to them.  Either from EXTERNAL_NET to HOME_NET or vice versa. 
Define HOME_NET as those IPs which you want to monitor for traffic flows 
either in or out.

> Here is what I am trying to do:
>
> My snort box is on an internal address, 10.250.200.xx (there are no
> external routable IP addresses NATed to the machine) This is interface
> eth0, it has a copper gig connection directly to a port in a black
> diamond switch. (The NIC is a SysKonnect)
>
> On the same box I ran a cable from the onboard 100mb intel NIC to the
> same hub that contains only our border router and our two firewalls. (the
> firewalls are in a redundant pair) The connection is full duplex 100 mb.
> (same with the router and firewalls) This is interface eth1.
>
> I _only_ want to monitor traffic on eth1, I don't care anything about
> eth0  for this particuliar IDS. (I have others for internal networks) I
> don't want eth1 to have an IP address nor do I want to use any static arp
> entries anywhere.
>
Then you start snort with the "-i" switch pointing to eth1.

snort -i eth1

Do this, and see if traffic starts flowing across your screen.  If it does, 
then feed it to whatever output mechanism you chosen and look at the 
results to make sure you're getting what you want.

snort -i eth1 -c /etc/snort/snort.conf -D

> To do this, how what would a define HOME_NET and the other vars too?
>
That depends on what you're trying to monitor.  If you want to monitor all 
traffic going in or out of your network, then HOME_NET would be your IP 
range - for example - HOME_NET = [217.119.0.0/24,10.0.0.0/8]

Unless you give us more information, it's really hard to be more precise.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list