[Snort-users] Snort doesn't appear to be looking at everythin g on our network
bob.dehnhardt at ...7168...
Tue Oct 22 14:18:01 EDT 2002
Steve, it sound like you network is fully switched - a sniffer is this
environment would display the symptoms you're describing (in switched
networks, traffic is segregated, and you won't see the whole network).
Try moving your sensor to a network choke point, like the internal interface
on a gateway switch or router. You still won't see all the traffic on your
network (purely internal traffic will remain segregated), but you will see
aggregate traffic entering and leaving your network.
From: Steve Saunders [mailto:stevefs at ...7249...]
Sent: Tuesday, October 22, 2002 9:00 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort doesn't appear to be looking at
everything on our network
Snort doesn't appear to be looking at everything on our network, I don't see
any traffic except broadcast and traffic connecting to my pc. One of the
rules I setup was to alert me when someone pings on our network, I don't
receive any alerts unless my pc gets pinged. If I ping anything else it
doesn't alert me. Even when I run snort as a packet sniffer, it never picks
up anything except the broadcast. Is there something on our network that
could be interfering with it, or am I doing something wrong? The command I
use to run Snort is "snort -i2 -c c:\snort\rules.rules -l c:\snort\log", the
rule I set in the rules.rules file states "alert icmp any any -> any any
(msg: "possible ping attempt";).
This sf.net emial is sponsored by: Influence the future
of Java(TM) technology. Join the Java Community
Process(SM) (JCP(SM)) program now.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users