Snort Montioring (one host vs. network)

[InfiniteL00p]

ahh.. Snort is a great tool. Takes some time to learn and get comfortable with, but it's worth it.

Question for someone that knows more than I:
- Snort is logging events and alerts on more than just my WinXP box.. I have the $HOME_NET variable set to $(\Device\NPF\_{my NIC interface name}_ADDRESS) in Snort.conf. I do this because I have a dynamic IP address (this is a laptop). Is there something else I must do to restrict alerts and events to my IP address only?

Also, has the spp_portscan.log file been depreciated and replaced by the flow-portscan preprocessor? I'd like to generate a portscan.log file for use with ACID, but the general portscan processor isn't in the conf file (perhaps I can just place it there?)

Mucho Thankso,
l00p

[Tiger Shark]

I don't think that there is much you can do with the dynamic address issue unless you are always on the same network in which case you could assign a DHCP reservation for your MAC address.

I'm using Snort 2.x and it drops it's portscan log from the new preprocessor right in the working directory of Snort. I don't use ACID any more so I don't remember if you can configure it to use a specific file.

[InfiniteL00p]

What options do you use for the flow-portscan processor? My starts off ok, but gives me three warning messages (saying the command line rules override the plugin alert). I don't know why.. and the flow-portscan documentation doesn't help at all..

l00p

[Tiger Shark]

Which startup options are you using?

[InfiniteL00p]

snort -c c:\snort\etc\snort.conf -l c:\snort\log -i1

I haven't added anything interesting to the rules file aside from what's already in there. I've enabled (almost) all the options under the flow-portscan processor...

l00p