[Snort-users] Snort & multi-port ethernet cards -- PART II

Tom Sevy tsevy at ...1701...
Fri Jun 21 09:18:02 EDT 2002

Thanks very much to Eric, Sandro, Keith, and Vjay for their responses.


I've checked the logs, etc.  The three i/faces that are active on the quad
card do see traffic, but not all the traffic.

For example, I am snorting two internal segments.  When an alert is
generated for an event that happens in segment 1 (on eth1), and the other
end of that event is in segment 3 (on eth3), both sensors should report the
event.  This happens sometimes and at times is does not.  I have one
instance of this event firing where it is seen by both sensors, and then I
have one that was seen only by one of the sensors.  Same src/dst IP in both
cases. The event in question is "ATTACK RESPONSES id check returned root"
when a Unix admin in seg 1 connects to a Unix server in seg 3.

Again, running on RH 7.3, Compaq Proliant 1600, 2 x PIII 500, 512m ram....
Decent box.

And also, on eth 1 & on eth 3, I have a filter set on the snort command

  eth1  not (src net seg1 and dst net seg1)   # ignore traffic that is local
to this segment
  eth3  not (src net seg3 and dst net seg3)   # ignore traffic that is local
to this segment

So as to pick up only traffic that is from/to a different segment....  I am
running snort 1.8.6 bld 105...  [eth1, eth3] are in home_net


# snort -V

-*> Snort! <*-
Version 1.8.6 (Build 105)
By Martin Roesch (roesch at ...1935..., www.snort.org)

More information about the Snort-users mailing list