[Snort-users] Sniffing the Gateways

controld at ...4195... controld at ...4195...
Wed Nov 28 14:49:06 EST 2001


Lil confused? Can't quite envision the gateway data flow?
How do these gateways terminate to your external router?
If its on a switch, mirror those ports to a snort port.

On Wed, 28 Nov 2001, jamesh wrote:

> We have 2 gateways, and I am sniffing traffic off both the Ethernet
> interfaces (via the switch). I was hoping to see all the traffic
> for our statewide network this way, but I am not. After a bit of thinking I
> realized this probably will not show me the several serial interfaces that
> exist on these gateways, as these route directly out the WAN connections
> (ie, serial and WAN connections are on the same box and route port to port
> to get to the internet) and not thru the Ethernet interfaces. Is this
> correct ?
>
> If so how would I go about seeing everything ? As luck would have it, the
> secondary gateway is our Cisco 72XX, where
> multiple T's to the DSLAM's for DSL exist. BGP tends to send these
> connections out this gateway and only once an a while does BGP decide to use
> the primary gateway for DSL; in this case Snort will see this. As we have
> 400+ DSL subscribers; I am interested to see if any have DoS tools installed
> (and other bad things).
>
> Generally I just sniff all our servers, this works great. Once a day I would
> like to watch all traffic to get the big picture with a special interest in
> what is going on with DSL. Any ideas ?
>
>
>
> James Edwards
> jamesh at ...3784...
> At the Santa Fe Office: Internet at Cyber Mesa
> Store hours: 9-6 Monday through Friday
> Phone support 365 days till 10 pm via the Santa Fe office:
> 505-988-9200 or Toll Free: 888-988-2700
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list