Gentoo Wiki


This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc


What's that?

Please take a look to NIDS.

System setup

Here is an example of how your system can be configured.


The NIDS is a server with two ethernet interfaces, that is located in the red zone of your network. The red zone is a high risk because of increased probability of attacks from Internet. Everything in you private network is important and must be hidden from the public Internet. If someone tries to enter your private network, it's important that your NIDS discovers it and takes measure, such as turn off the firewall or disconnect it from internet.

Howto connect network interfaces

The NIDS has two interfaces:

Note: Is important the device is not a switch, but a hub.
Note: Another configuration is possible if your switch could configure the Monitoring Port.

This configuration emulates the behaviour of a Hub Device, that replicates the traffic of any device linked on all the other ports.

Howto configure network interfaces

As shown in the figure, network interfaces must be configured as follows:

File: /etc/conf.d/net (Comment out, modify or delete the following line)
iface_eth0="192.168.x.y broadcast 192.168.x.255 netmask"
iface_eth1=" broadcast netmask"

SetUp Snort to do this work

Take a look first at HOWTO Snort.

You need to edit the next file if you want setup a Network IDS.

File: /etc/snort/snort.conf (Comment out, modify or delete the following line)
# var
var HOME_NET # you're subnet
# preprocessors
preprocessor frag2
preprocessor stream4: detect_scans detect_state_problems detect_scans disable_evasion_alerts
preprocessor stream4_reassemble: ports all
preprocessor http_decode: 80 8080 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo: -nobrute
preprocessor telnet_decode
Retrieved from ""

Last modified: Fri, 05 Sep 2008 09:29:00 +0000 Hits: 9,238