[Snort-users] seeing whol subnet
Semerjian.Ohanes at ...4899...
Wed Dec 18 16:35:02 EST 2002
ur problem is nothing 2 do with snort sensor. U need to mirror the port that
the sensor is connected to. U need 2 read and understand how network
Switches r not like hubs, switches build a table for MAC addresses and ports
and will only send packet to specific port(s). This to prevent broadcast. As
I mentioned u need to read a bit more about networking.
From: David Bear [mailto:David.Bear at ...1022...]
Sent: Thursday, 19 December 2002 3:30 AM
Subject: [Snort-users] seeing whol subnet
I would like snort to 'see'/'report' on hosts in the whole subnet. I have
set my HOME_NET vary to any, and well as trying vx0_ADDRESS and different
combinations of the ip/add/subnet (in CIDR block notation). When snort does
alert, it only alerts on attacks directed to the host it is running on, ie
it does not alert on when any other host is attacked. I am runing on
freebsd 4.6.2. While I don't control the wiring and network switches I am
reasonaly certain this is a standard 10/mbt shared ethernet port -- so all
hosts should be visible.
Are there any other config parameters that I am just missing? (I have
enabled ALL rules to alert -- even the icmp rule that seem to generate a lot
of alert -- still all quiet. I'm not quite ready to believe that my subnet
is this quiet...
College of Public Programs/ASU
Mail Code 0803
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty.
T H I N K G E E K . C O M http://www.thinkgeek.com/sf/
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users