|
|
|
|
Snort Forums Archive
Archive Home » Snort Newbies » Snort as local IDS
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Snort as local IDS
Posted by jhyiesla on March 08, 2005 06:58:13
I want to install Snort on a number of computer to monitor possible instrusions on those particular PCs. Is this possible and is there a "standard" command line input that would make this happen? or is a GUI tool better? I had tried this once before, and ended up with all sorts of things that had nothing to do with what I was looking for.
Thanx...Jon |
|
Posted by geekgerl on March 13, 2005 10:19:52
There are a few things you can do. On each host/PC installation:
1. Ensure that the ethernet interface is NOT in promiscuous mode. That way, Snort will only see traffic to/from that particular host.
2. In your snort.conf file, ensure that your VAR_HOME_NET is set to the ip address of your host. So if your host is 192.168.1.1, then you should have "var HOME_NET 192.168.1.1".
3. In your snort.conf file, comment out any services that are not running on that host. For example, if your host is not running a SQL server then change "var SQL_SERVERS $HOME_NET" to "#var SQL_SERVERS $HOME_NET".
4. Finally, in your snort.conf file remove any rules that are not applicable to your host. Using the example above, if your host is not running a SQL server then there is no need to have the line "include $RULE_PATH/sql.rules" in your snort.conf.
I hope this helps!
-Laura |
|
|
|
|
|
