[Snort-users] Snort with Acid : Network

McCammon, Keith Keith.McCammon at ...3497...
Tue Aug 27 08:29:03 EDT 2002


> All the switch are in cascade form. one switch is connected 
> to other, there
> is no vlan configured.
> 
> There are 3 switch ports 24 each, all the machine are 
> connected with to
> unstructured or unorganized ip address..
> Which includes router, which is in one of the switch, the 
> linux box with
> snort is in suppose A Switch.
> 
> And my snort box, is not detecting portscan, from one machine 
> to another,
> which is in same switch
> 
> I think i have to place the snort in proper place, but i am 
> not able to
> figure out where ??

Remember that the great advantage to switching is that address tables are maintained on each device, which allows traffic to be sent directly to the destination if it is known, as opposed to being broadcast to every connected node.  If a host on switch C needs to contact another host on switch C, there is no reason to send a copy of the traffic to switch A.

Unless all three switches can be configured to send a copy of all traffic from every port on every switch (pretty nuts, actually) to the single port to which your sensor is connected, then you will not be able to see such traffic.  This is what host-based IDS are for...







More information about the Snort-users mailing list