[Snort-users] Sniffing the Gateways

jamesh jamesh at ...3784...
Wed Nov 28 14:07:12 EST 2001


We have 2 gateways, and I am sniffing traffic off both the Ethernet
interfaces (via the switch). I was hoping to see all the traffic
for our statewide network this way, but I am not. After a bit of thinking I
realized this probably will not show me the several serial interfaces that
exist on these gateways, as these route directly out the WAN connections
(ie, serial and WAN connections are on the same box and route port to port
to get to the internet) and not thru the Ethernet interfaces. Is this
correct ?

If so how would I go about seeing everything ? As luck would have it, the
secondary gateway is our Cisco 72XX, where
multiple T's to the DSLAM's for DSL exist. BGP tends to send these
connections out this gateway and only once an a while does BGP decide to use
the primary gateway for DSL; in this case Snort will see this. As we have
400+ DSL subscribers; I am interested to see if any have DoS tools installed
(and other bad things).

Generally I just sniff all our servers, this works great. Once a day I would
like to watch all traffic to get the big picture with a special interest in
what is going on with DSL. Any ideas ?



James Edwards
jamesh at ...3784...
At the Santa Fe Office: Internet at Cyber Mesa
Store hours: 9-6 Monday through Friday
Phone support 365 days till 10 pm via the Santa Fe office:
505-988-9200 or Toll Free: 888-988-2700






More information about the Snort-users mailing list