[Snort-users] Snort in a switched environment

McCammon, Keith Keith.McCammon at ...3497...
Tue May 14 08:31:02 EDT 2002

Unless you specify otherwise via a command-line argument, the interface will be operating in promiscuous mode, and will inspect any packet that comes across the wire.

As far as switching is concerned, you'll want to place your sensor on a monitoring/mirroring port, so that it captures the appropriate traffic in the appropriate direction.

-----Original Message-----
From: Bastian Ballmann [mailto:ballmann at ...3190...]
Sent: Tuesday, May 14, 2002 11:20 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort in a switched environment

Is it possible to run Snort in a switched environment? Cause Snort can only 
sniff the traffic of the host he is running on. Unless he is doing something 
like ARP poisoning or something like this...
But I think this would lead into trouble if you run the arpspoof preprocessor 

Bastian Ballmann
Bastian Ballmann [ ballmann at ...3190... ]
@ Computational Design GmbH
[ http://www.co-de.de ]


Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth at ...382...
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list