[Snort-users] Help me friends

Adrian Peters controld at ...4195...
Mon Dec 9 09:55:04 EST 2002


The problem with a switch (as to a hub), is that system MAC addresses are 
associated with ports on the switch. Thus, if machine A wants to talk to 
machine B, the switch does not just send the traffic to all the ports (a 
hub does do that), but rather has an active table of MAC's associated with 
ports, and will send the packet only to that port.

To make a long story short. If you want to monitor traffic on one machine, 
that is destined to another, you would need to mirror a port. For 
instance, if you want to snort the external traffic, you would need to 
mirror the traffice between your uplink and your firewall/gateway to the 
snort port.

Does that answer your question?

On Sat, 7 Dec 2002 skaushik at ...7706... wrote:

> Dear Friends,
> 
> I have been trying to use the snort 1.9.0 by creating my own rules.
> 
> though i succeeded in implementing that with few simple rules but iam not able to use it with all its features.
> 
> For example:
> 
> I wanted to implement the flexresp feature, so i downloaded the libnet 1.0 and reconfigured the snort with the flexresp support but when I implemented the rule it says the keyword in the rules file is invalid.
> 
> The same error i faced when using the portscan feature in my rule.
> 
> Also another important thing I wanted to know is that:
> 
> I installed the snort in  a machine in the local LAN but not as a gateway but directly connected to a switch, from which all the machines are connected.
> 
> And in this scenario I wanted my snort machine to scan all the network traffic in the local LAN. The catch here is I was able to scan all the telnet sessions to the snort machine or from the snort machine but unable to scan those telnet sessions not involving the snort machine.
> 
> Also I was not able to scan the internet requests originating from the other machine apart from the snort machine. The scan shows only the from (internal source IP) -> to(the gateway IP), but not the websites' IP address and I have checked that my rule was right. But that does not happen while scanning the snort machine, it is giving the detailed internal and external(websites) ip address.
> 
> 
> 
> Is the problem anything to do with the location of the snort machine?
> 
> Please help me in this regard.
> 
> Warm regards,
> S.Kaushik
> 
> 
>  
> 
> 
> 
> 
> 
> 
> 
> 





More information about the Snort-users mailing list