[Snort-users] seeing whol subnet

Matt Yackley Matt.Yackley at ...5858...
Wed Dec 18 08:51:03 EST 2002

David, if your Snort box is plugged into a switch you won't see other
traffic unless the switch has some type of port mirroring / spanning,
Try running tcpdump and see if you see traffic for other hosts, well other
than broadcast traffic anyway.


-----Original Message-----
From: David Bear [mailto:David.Bear at ...1022...]
Sent: Wednesday, December 18, 2002 10:30 AM
To: snort-users
Subject: [Snort-users] seeing whol subnet

I would like snort to 'see'/'report' on hosts in the whole subnet.  I have
set my HOME_NET vary to any, and well as trying vx0_ADDRESS and different
combinations of the ip/add/subnet (in CIDR block notation).  When snort does
alert, it only alerts on attacks directed to the host it is running on, ie
it does not alert on when any other host is attacked.  I am runing on
freebsd 4.6.2.  While I don't control the wiring and network switches I am
reasonaly certain this is a standard 10/mbt shared ethernet port -- so all
hosts should be visible.

Are there any other config parameters that I am just missing? (I have
enabled ALL rules to alert -- even the icmp rule that seem to generate a lot
of alert -- still all quiet.  I'm not quite ready to believe that my subnet
is this quiet...


David Bear
College of Public Programs/ASU
Mail Code 0803

This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players,  XBox Games,  Flying Saucers,  WebCams,  Smart Putty.
T H I N K G E E K . C O M       http://www.thinkgeek.com/sf/
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list