[Snort-users] filtering bridge
mkettler at ...4108...
Thu Oct 21 11:25:52 EDT 2004
At 05:14 AM 10/21/2004, jvarlet at ...12243... wrote:
>I would like to know if it is possible to use snort on a bridge.
>All uses of snort I made was built on ip adresses.
>But a bridge has no ip adress...
Snort doesn't care about wether or not the ethernet interface it uses has
an IP address or not.. See the "stealth" interface notes in the FAQ.
Snort just picks up raw ethernet frames with pcap. If tcpdump can grab
packets off it, so can snort.
However, you will need to set up HOME_NET and EXTERNAL_NET. In the case of
a bridge, I'd probably just set these both to "any".
Generally speaking, HOME_NET should be the list of IPs that you want to
monitor as possible destinations for attacks.
EXTERNAL_NET should be the list of IPs that you want to monitor as possible
sources of attack.
More information about the Snort-users