[Snort-users] seeing whol subnet

Semerjian, Ohanes Semerjian.Ohanes at ...4899...
Wed Dec 18 16:35:02 EST 2002


ur problem is nothing 2 do with snort sensor. U need to mirror the port that
the sensor is connected to. U need 2 read and understand how network
switching works.

Switches r not like hubs, switches build a table for MAC addresses and ports
and will only send packet to specific port(s). This to prevent broadcast. As
I mentioned u need to read a bit more about networking. 

Best Regards

Ohanes Semerjian


-----Original Message-----
From: David Bear [mailto:David.Bear at ...1022...]
Sent: Thursday, 19 December 2002 3:30 AM
To: snort-users
Subject: [Snort-users] seeing whol subnet


I would like snort to 'see'/'report' on hosts in the whole subnet.  I have
set my HOME_NET vary to any, and well as trying vx0_ADDRESS and different
combinations of the ip/add/subnet (in CIDR block notation).  When snort does
alert, it only alerts on attacks directed to the host it is running on, ie
it does not alert on when any other host is attacked.  I am runing on
freebsd 4.6.2.  While I don't control the wiring and network switches I am
reasonaly certain this is a standard 10/mbt shared ethernet port -- so all
hosts should be visible.

Are there any other config parameters that I am just missing? (I have
enabled ALL rules to alert -- even the icmp rule that seem to generate a lot
of alert -- still all quiet.  I'm not quite ready to believe that my subnet
is this quiet...

--

David Bear
College of Public Programs/ASU
Mail Code 0803


-------------------------------------------------------
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players,  XBox Games,  Flying Saucers,  WebCams,  Smart Putty.
T H I N K G E E K . C O M       http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021218/35792bce/attachment.html>


More information about the Snort-users mailing list