[Snort-users] Snort stopped sniffing on hub

Chris Green cmg at ...671...
Tue Jan 15 11:01:05 EST 2002


"Cody Hatch" <cody at ...4571...> writes:

> First of all, I can't find an answer to this question anywhere, so
> hopefully someone here can help me.  I've got Snort on a hub located
> outside my firewall.  It's sniffing all traffic to and from my firewall
> (my internal network is behind my firewall).  My Snort box does not have
> a firewall, so my problem isn't that.  For a while, Snort worked fine,
> sniffing all traffic on the hub, then it started only logging traffic
> destined or from the box Snort is running on.  I've got the variable
> HOME_NET set to any, I've set it to my subnet (xxx.xxx.xxx.0/24), I've
> tried everything.  I'm having Snort log to MySQL, and here are the
> arguments being given:
>
> snort -o -b -i eth0 -D -l /var/log/snort -c /etc/snort/snort.conf
>
> I can't think of what my problem is.  Why would it work just fine, and
> then one day start sniffing only traffic to and from its own box?  Any
> ideas?
>

It sounds very much like you are running into 10/100 psuedo hub
problems with media mismatch between machines.  Try forcing all your
nics to either 10 or 100
-- 
Chris Green <cmg at ...671...>
Let not the sands of time get in your lunch.




More information about the Snort-users mailing list