[Snort-users] Clueless in Toronto

Rich Stryker rstryker at ...7794...
Wed Dec 18 10:43:13 EST 2002


Great Thanks Keith!

Got it. I understand now why that is. Switches will broadcast only once until they know which port to send traffic out of. 
This would mean I would miss just about everything except for the broadcasts and multicasts. Whereas a hub is in constant broadcast mode since it shouldn't have the ability to have a MAC table...right?

Assuming I am correct can you or anyone else now help me with SNORTSNARF? When I followed the instructions from Silicon Defense, for installing SNORT on a W2K machine with IIS, SNORT created an alert.ids file. I setup SNORT to run as a service but I didn't get anything, no logs etc. When SNORT runs from the command line it doesn't write to the alert.ids but creates sub folders for every IP address it finds, which I have read to mean that is the default setting.

Any suggestions on how I can get the logs to be put into the alert.ids and thereby allowing me to get SNORTSNARF to work?

-----Original Message-----
From: Knight, Ric [mailto:RKnight at ...7145...]
Sent: Wednesday, December 18, 2002 1:28 PM
To: Rich Stryker
Subject: RE: [Snort-users] Clueless in Toronto
Importance: Low


Rich, 

If you only have dumb switches, then get a hub. Force all traffic you want
to monitor through the hub. You only need one interface on the SNORT box to
monitor traffic. If you want to use switches, you need to enable port
spanning so that one switch port receives att the traffic on the switch and
then plug snort into that port.

Crude text diagram...
                   
              Snort
               ||
               \/
Router <----> Hub <-------> firewall

=-=-=-=-=-=-=-=-=-=-
Ric Knight
Network Engineer
TransUnion Canada
170 Jackson St. E. 
Hamilton Ontario, L8N 1L4
(905) 525-9013 x6212



-----Original Message-----
From: Rich Stryker [mailto:rstryker at ...7794...]
Sent: December 18, 2002 11:32 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Clueless in Toronto


Hi,

I have installed SNORT 1.8x on a W2K Server. No service packs as yet because
i am just testing the waters with it. There are 2 NICs. 

I can seem to figure out how to implement it now that it is running. I
figure I will put it behind my firewall. But how do i force traffic to go
through one NIC on the server and out through the other? Do i even need to
do this, is one NIC enough to perform NIDS? I had SNORT doing sniffing but
it only tracked the local computer's traffic and nothing else. 

I have SNORTSNARF installed to see the reports but when I seem to have SNORT
running I can't find the log files. I want SNORT setup for NIDS.

All help is greatly appreciated.

Thanks,

Rich




More information about the Snort-users mailing list