RE: [Snort-users] one IP
This is a discussion on RE: [Snort-users] one IP within the Snort forums, part of the System Security and Security Related category; > Date: Wed, 4 Feb 2004 13:49:39 +0100 > From: Keming <kemweb@keming.de> > Reply-...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-06-2004
|
|||
|
|||
RE: [Snort-users] one IP
> Date: Wed, 4 Feb 2004 13:49:39 +0100
> From: Keming <kemweb@keming.de> > Reply-To: Keming <kemweb@keming.de> > To: snort-users@lists.sourceforge.net > Subject: [Snort-users] one IP > > Hi, > > I=B4m trying to monitor only one IP as destination of the subnet but > > snort.conf -> var HOME_NET 1.2.3.4/32 > and/or > snort.conf -> var HOME_NET 1.2.3.4 > > seems to obsevere and alert all in this subnet (as destinaton) ? As someone else pointed out, only some rules use HOME_NET and/or EXTERNAL_N= ET. I'm not quite sure what you are really trying to do, but perhaps a BPF (Berkeley Packet Filter) might help? Google "berkeley packet filter" (with the quotes) for more info, but starti= ng snort like this should limit Snort to seeing ONLY packets to or from 1.2.3.4/32: =09snort -c /path/to/snort.conf {other snort options} host 1.2.3.4/32 If 1.2.3.4/32 is the host on which Snort lives, the same may be achived (usually accidentally :) by using a switch. If Snort is sniffing from elsewhere and you just want that single host, the BPF above should do the trick. HTH, JP ------------------------------|:::=3D=3D=3D=3D=3D=3D|----------------------= ---------- JP Vossen, CISSP |:::=3D=3D=3D=3D=3D=3D| jp{at}jpsdoma= in{dot}org My Account, My Opinions |=3D=3D=3D=3D=3D=3D=3D=3D=3D| http://ww= w.jpsdomain.org/ ------------------------------|=3D=3D=3D=3D=3D=3D=3D=3D=3D|----------------= ---------------- You used to have to reboot the Windows 9.x series every couple of days because it would crash. Now you have to reboot Windows 200x or XP every couple of days because of a patch. How is that better or more stable? ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
