[Snort-users] seeing whol subnet
Matt.Yackley at ...5858...
Wed Dec 18 08:51:03 EST 2002
David, if your Snort box is plugged into a switch you won't see other
traffic unless the switch has some type of port mirroring / spanning,
Try running tcpdump and see if you see traffic for other hosts, well other
than broadcast traffic anyway.
From: David Bear [mailto:David.Bear at ...1022...]
Sent: Wednesday, December 18, 2002 10:30 AM
Subject: [Snort-users] seeing whol subnet
I would like snort to 'see'/'report' on hosts in the whole subnet. I have
set my HOME_NET vary to any, and well as trying vx0_ADDRESS and different
combinations of the ip/add/subnet (in CIDR block notation). When snort does
alert, it only alerts on attacks directed to the host it is running on, ie
it does not alert on when any other host is attacked. I am runing on
freebsd 4.6.2. While I don't control the wiring and network switches I am
reasonaly certain this is a standard 10/mbt shared ethernet port -- so all
hosts should be visible.
Are there any other config parameters that I am just missing? (I have
enabled ALL rules to alert -- even the icmp rule that seem to generate a lot
of alert -- still all quiet. I'm not quite ready to believe that my subnet
is this quiet...
College of Public Programs/ASU
Mail Code 0803
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty.
T H I N K G E E K . C O M http://www.thinkgeek.com/sf/
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users