[Snort-users] filtering bridge

Matt Kettler mkettler at ...4108...
Thu Oct 21 11:25:52 EDT 2004


At 05:14 AM 10/21/2004, jvarlet at ...12243... wrote:
>I would like to know if it is possible to use snort on a bridge.
>All uses of snort I made was built on ip adresses.
>
>But a bridge has no ip adress...

Snort doesn't care about wether or not the ethernet interface it uses has 
an IP address or not.. See the "stealth" interface notes in the FAQ.

Snort just picks up raw ethernet frames with pcap. If tcpdump can grab 
packets off it, so can snort.

However, you will need to set up HOME_NET and EXTERNAL_NET. In the case of 
a bridge, I'd probably just set these both to "any".

Generally speaking, HOME_NET should be the list of IPs that you want to 
monitor as possible destinations for attacks.

EXTERNAL_NET should be the list of IPs that you want to monitor as possible 
sources of attack.





More information about the Snort-users mailing list