Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort will not detect anything on stealth interface unless I assign IP

From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 19 Jul 2004 10:09:08 -0500
--On Monday, July 19, 2004 6:53 AM -0700 Rhugga <snort-list () sandiego420 com> wrote: 

I guess I am confused about how to configure HOME_NET, etc...
It might help if you think of HOME_NET this way. Most rules have "direction" to them. Either from EXTERNAL_NET to HOME_NET or vice versa. Define HOME_NET as those IPs which you want to monitor for traffic flows either in or out. 


Here is what I am trying to do:

My snort box is on an internal address, 10.250.200.xx (there are no
external routable IP addresses NATed to the machine) This is interface
eth0, it has a copper gig connection directly to a port in a black
diamond switch. (The NIC is a SysKonnect)

On the same box I ran a cable from the onboard 100mb intel NIC to the
same hub that contains only our border router and our two firewalls. (the
firewalls are in a redundant pair) The connection is full duplex 100 mb.
(same with the router and firewalls) This is interface eth1.

I _only_ want to monitor traffic on eth1, I don't care anything about
eth0  for this particuliar IDS. (I have others for internal networks) I
don't want eth1 to have an IP address nor do I want to use any static arp
entries anywhere.


Then you start snort with the "-i" switch pointing to eth1.

snort -i eth1
Do this, and see if traffic starts flowing across your screen. If it does, then feed it to whatever output mechanism you chosen and look at the results to make sure you're getting what you want. 

snort -i eth1 -c /etc/snort/snort.conf -D


To do this, how what would a define HOME_NET and the other vars too?
That depends on what you're trying to monitor. If you want to monitor all traffic going in or out of your network, then HOME_NET would be your IP range - for example - HOME_NET = [217.119.0.0/24,10.0.0.0/8] 

Unless you give us more information, it's really hard to be more precise.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: