[Snort-users] Snort will not detect anything on stealth

Matt Kettler mkettler at ...4108...
Mon Jul 19 09:44:06 EDT 2004

At 09:53 AM 7/19/2004, Rhugga wrote:
>My snort box is on an internal address, 10.250.200.xx (there are no 
>external routable IP addresses NATed to the machine) This is interface 
>eth0, it has a copper gig connection directly to a port in a black diamond 
>switch. (The NIC is a SysKonnect)
>On the same box I ran a cable from the onboard 100mb intel NIC to the same 
>hub that contains only our border router and our two firewalls. (the 
>firewalls are in a redundant pair) The connection is full duplex 100 mb. 
>(same with the router and firewalls) This is interface eth1.

Um.. Clearly there's a detail omitted above. You can't have a full-duplex 
connection to a Hub.

Is it a switch? Is it set as a span port?

If it's a switch without a span port, you're hosed. Connect eth1 to 
something else that's appropriate for sniffing, like a HUB, a TAP, or a 
switch with a span port.

switches by default only forward packets to ports that need them, and thus 
inherently defeat the promiscous sniffing behaviors of snort, as well as 
any other promisc ethernet tool.

>I _only_ want to monitor traffic on eth1, I don't care anything about 
>eth0  for this particuliar IDS. (I have others for internal networks) I 
>don't want eth1 to have an IP address nor do I want to use any static arp 
>entries anywhere.
>To do this, how what would a define HOME_NET and the other vars too?

First, think about the traffic that's going to go by snort's sniffing 

HOME_NET is basically "what set of IP addresses do you wish to watch to see 
if they are the target of an attack". This is why when you set eth1 to a 
bogus address and then used it as a HOME_NET you never got an alerts.. No 
attacks were ever seen going to the bogus address, and everything else was 

Common choices for HOME_NET are:
          all the IP addresses belonging to boxes you control that the 
sensor will see traffic for
         any     (results in more noise, but if attacks are launched from 
your network to the rest of the world, you'll see them)

EXTERNAL_NET is basically "what set of IP addresses do you wish to consider 
possible sources of attack".

Common choices of EXTERNAL_NET are:
         !$HOME_NET      (causes apparent attacks from your network 
machines to be ignored, even if to another HOME_NET machine)

More information about the Snort-users mailing list