From: Andrew R. Baker (andrewbsnort.org)
Date: Sun Jul 06 2003 - 10:28:01 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Erek Adams wrote:
> On Thu, 3 Jul 2003, [iso-8859-1] Louis Lam wrote:
>
>
>>Okay, thanks, I see what you mean. I tried that too
>>but still manage to pick up attack traffic to another
>>host. Here is the scenario:
>>
>>Suppose the host that has snort installed is
>>192.168.1.10, and i set my HOME_NET to
>>192.168.1.10/32.
>>
>>Then i tried to use another machine 192.168.1.20 to
>>nmap another machine 192.168.1.30, the snort on
>>192.168.1.10 still can pick up the traffic and
>>generate alerts.
>>
>>I understand that snort is more of a Netword based
>>IDS, but lets assume that i'm in a sad case where I
>>can't even trust my neighbours in the same network.
>>what other configuration needs to be done?
>
>
> Honestly it sounds like a misconfig issue. Once you make the change in
> snort.conf, are you restarting Snort? If you're not, you need to. What
> is your EXTERNAL_NET set to? If it's still at 'any' change it to
> '!$HOME_NET'.

One other thing that should be considered when running Snort to only
protect a single host is to use the '-p' command line switch to disable
promiscuous mode sniffing. Doing so will cause Snort to only see those
packets addressed to the interface it is running on.

-A

-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]