[Snort-users] Snort will not detect anything on stealth
mkettler at ...4108...
Mon Jul 19 09:44:06 EDT 2004
At 09:53 AM 7/19/2004, Rhugga wrote:
>My snort box is on an internal address, 10.250.200.xx (there are no
>external routable IP addresses NATed to the machine) This is interface
>eth0, it has a copper gig connection directly to a port in a black diamond
>switch. (The NIC is a SysKonnect)
>On the same box I ran a cable from the onboard 100mb intel NIC to the same
>hub that contains only our border router and our two firewalls. (the
>firewalls are in a redundant pair) The connection is full duplex 100 mb.
>(same with the router and firewalls) This is interface eth1.
Um.. Clearly there's a detail omitted above. You can't have a full-duplex
connection to a Hub.
Is it a switch? Is it set as a span port?
If it's a switch without a span port, you're hosed. Connect eth1 to
something else that's appropriate for sniffing, like a HUB, a TAP, or a
switch with a span port.
switches by default only forward packets to ports that need them, and thus
inherently defeat the promiscous sniffing behaviors of snort, as well as
any other promisc ethernet tool.
>I _only_ want to monitor traffic on eth1, I don't care anything about
>eth0 for this particuliar IDS. (I have others for internal networks) I
>don't want eth1 to have an IP address nor do I want to use any static arp
>To do this, how what would a define HOME_NET and the other vars too?
First, think about the traffic that's going to go by snort's sniffing
HOME_NET is basically "what set of IP addresses do you wish to watch to see
if they are the target of an attack". This is why when you set eth1 to a
bogus address and then used it as a HOME_NET you never got an alerts.. No
attacks were ever seen going to the bogus address, and everything else was
Common choices for HOME_NET are:
all the IP addresses belonging to boxes you control that the
sensor will see traffic for
any (results in more noise, but if attacks are launched from
your network to the rest of the world, you'll see them)
EXTERNAL_NET is basically "what set of IP addresses do you wish to consider
possible sources of attack".
Common choices of EXTERNAL_NET are:
!$HOME_NET (causes apparent attacks from your network
machines to be ignored, even if to another HOME_NET machine)
More information about the Snort-users