Snort mailing list archives
Re: Snort will not detect anything on stealth interface unless I assign IP
From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 19 Jul 2004 10:09:08 -0500
--On Monday, July 19, 2004 6:53 AM -0700 Rhugga <snort-list () sandiego420 com> wrote:
It might help if you think of HOME_NET this way. Most rules have "direction" to them. Either from EXTERNAL_NET to HOME_NET or vice versa. Define HOME_NET as those IPs which you want to monitor for traffic flows either in or out.I guess I am confused about how to configure HOME_NET, etc...
Here is what I am trying to do: My snort box is on an internal address, 10.250.200.xx (there are no external routable IP addresses NATed to the machine) This is interface eth0, it has a copper gig connection directly to a port in a black diamond switch. (The NIC is a SysKonnect) On the same box I ran a cable from the onboard 100mb intel NIC to the same hub that contains only our border router and our two firewalls. (the firewalls are in a redundant pair) The connection is full duplex 100 mb. (same with the router and firewalls) This is interface eth1. I _only_ want to monitor traffic on eth1, I don't care anything about eth0 for this particuliar IDS. (I have others for internal networks) I don't want eth1 to have an IP address nor do I want to use any static arp entries anywhere.
Then you start snort with the "-i" switch pointing to eth1. snort -i eth1Do this, and see if traffic starts flowing across your screen. If it does, then feed it to whatever output mechanism you chosen and look at the results to make sure you're getting what you want.
snort -i eth1 -c /etc/snort/snort.conf -D
That depends on what you're trying to monitor. If you want to monitor all traffic going in or out of your network, then HOME_NET would be your IP range - for example - HOME_NET = [217.119.0.0/24,10.0.0.0/8]To do this, how what would a define HOME_NET and the other vars too?
Unless you give us more information, it's really hard to be more precise. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort will not detect anything on stealth interface unless I assign IP Rhugga (Jul 17)
- Re: Snort will not detect anything on stealth interface unless I assign IP Paul Schmehl (Jul 17)
- Re: Snort will not detect anything on stealth interface unless I assign IP Matt Kettler (Jul 17)
- Re: Snort will not detect anything on stealth interface unless I assign IP Rhugga (Jul 19)
- Re: Snort will not detect anything on stealth interface unless I assign IP Paul Schmehl (Jul 19)
- Re: Snort will not detect anything on stealth Matt Kettler (Jul 19)
- Re: Snort will not detect anything on stealth interface unless I assign IP Rhugga (Jul 19)
- Re: Snort will not detect anything on stealth interface unless I assign IP Jason Haar (Jul 18)
- Re: Snort will not detect anything on stealth interface unless I assign IP Rhugga (Jul 19)
- Re: Snort will not detect anything on stealth interface unless I assign IP Edin Dizdarevic (Jul 19)