[Snort-users] no TCP traffic except in/out of the snort server (SUN 2.7)

Martin Roesch roesch at ...421...
Tue Jan 16 16:55:06 EST 2001


Another factor to consider: If this is an older Sparc and you're on a
10/100 hub, you may not be able to see traffic on the 100Mbps "side" of
the hub.  I've got an Ultra1 here that has a 10Mbps interface and it
can't see the traffic between my hosts that are negotiated (on the hub)
at 100Mbps...

   -Marty

"North, Jason" wrote:
> 
> Are you on a switched network?
> Sounds like the usual traffic from such a scenario (localhost traffic and
> broadcast stuff).
> If that is the case, you will need to do one of two things:
> 1. Put a hub between two devices (routers, servers, switches, whatever)
> where you want to monitor, and put your snort box on that same hub,
> or preferably
> 2. Put a network tap device (such as a Shomiti Century) between the
> aforementioned two devices and run your snort box off of it.  You will need
> a second NIC for snort to do any external reporting (syslog, email alerting
> via swatch, etc.)  This also gives you the added advantage of hiding your
> sensor from the network at large
> 
> -----Original Message-----
> From: Fab Lab [mailto:fab_lab at ...125...]
> Sent: Tuesday, January 16, 2001 3:55 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] no TCP traffic except in/out of the snort server
> (SUN 2.7)
> 
> Hi there !
> I just installed snort-1.7 on a Sparc running 2.7...
> I am NOT a sun specialist, NOR a newtwork specialist,NOR .... ;-)
> 
> here is what I've done :
> 
> installed libnet from
> http://www.packetfactory.net/Projects/Libnet/dist/libnet-1.0.1b.tar.gz
> 
> installed libpcap package libpcap-0.4-sol7-sparc-local.bz2
> from www.sunfreeware.com
> 
> compiled snort w/ gcc .
> 
> running
> snort -v -h mynetwork/24
> shows me
> * all the TCP traffic in and out of the SUN,
> * some UDP traffic on port 138 (NETBIOS Datagram Service) between
> some machines
> * but doesn't show me any other TCP traffic between any other machine
> 
> any idea / suggestion  ?
> 
> thanks
> fab
> 
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org





More information about the Snort-users mailing list