[Snort-users] Help me friends

Semerjian, Ohanes Semerjian.Ohanes at ...4899...
Mon Dec 9 16:05:03 EST 2002

I'll answer the second part of ur question regarding using snort sensor to
monitor the traffic on ur LAN. To do so successfully u need to mirror the
port u connect the snort sensor to it so all packets going in and out of
other ports on that switch get mirrord to the port that ur snort machine is
connected to.

Read about port mirroring. This is not something specific to snort but it is
a networking concept and its valid for most of vendors like Cisco, Nortel
etc networking devices.

Best Regards

Ohanes Semerjian
Security Administrator, AsiaPac
International Security Group  (Central Services)
WorldCom International

Ph:(02) 9434 5636
Mob: 0410 657 249

75DF 2980 5663 2DC1 12CD  E43E 94D6 7A9A 222D 3449

-----Original Message-----
From: skaushik at ...7706... [mailto:skaushik at ...7706...]
Sent: Saturday, 7 December 2002 6:15 PM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Help me friends

Dear Friends,

I have been trying to use the snort 1.9.0 by creating my own rules.

though i succeeded in implementing that with few simple rules but iam not
able to use it with all its features.

For example:

I wanted to implement the flexresp feature, so i downloaded the libnet 1.0
and reconfigured the snort with the flexresp support but when I implemented
the rule it says the keyword in the rules file is invalid.

The same error i faced when using the portscan feature in my rule.

Also another important thing I wanted to know is that:

I installed the snort in  a machine in the local LAN but not as a gateway
but directly connected to a switch, from which all the machines are

And in this scenario I wanted my snort machine to scan all the network
traffic in the local LAN. The catch here is I was able to scan all the
telnet sessions to the snort machine or from the snort machine but unable to
scan those telnet sessions not involving the snort machine.

Also I was not able to scan the internet requests originating from the other
machine apart from the snort machine. The scan shows only the from (internal
source IP) -> to(the gateway IP), but not the websites' IP address and I
have checked that my rule was right. But that does not happen while scanning
the snort machine, it is giving the detailed internal and external(websites)
ip address.

Is the problem anything to do with the location of the snort machine?

Please help me in this regard.

Warm regards,


More information about the Snort-users mailing list