Snort mailing list archives

RE: one IP

From: JP Vossen <vossenjp () netaxs com>
Date: Fri, 6 Feb 2004 00:02:50 -0500 (EST)

Date: Wed, 4 Feb 2004 13:49:39 +0100
From: Keming <kemweb () keming de>
Reply-To: Keming <kemweb () keming de>
To: snort-users () lists sourceforge net
Subject: [Snort-users] one IP

Hi,

I´m trying to monitor only one IP as destination of the subnet but

snort.conf -> var HOME_NET 1.2.3.4/32
and/or
snort.conf -> var HOME_NET 1.2.3.4

seems to obsevere and alert all in this subnet (as destinaton) ?


As someone else pointed out, only some rules use HOME_NET and/or EXTERNAL_NET.
I'm not quite sure what you are really trying to do, but perhaps a BPF
(Berkeley Packet Filter) might help?

Google "berkeley packet filter" (with the quotes) for more info, but starting
snort like this should limit Snort to seeing ONLY packets to or from
1.2.3.4/32:
        snort -c /path/to/snort.conf {other snort options} host 1.2.3.4/32

If 1.2.3.4/32 is the host on which Snort lives, the same may be achived
(usually accidentally :) by using a switch.  If Snort is sniffing from
elsewhere and you just want that single host, the BPF above should do the
trick.

HTH,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

one IP Keming (Feb 04)
- Re: one IP Matt Kettler (Feb 04)
- <Possible follow-ups>
- RE: one IP JP Vossen (Feb 05)