[Snort-users] Snort doesn't appear to be looking at everythin g on our network
rdesmond at ...6547...
Wed Oct 23 12:20:08 EDT 2002
At 02:13 PM 10/22/02 -0700, Bob Dehnhardt wrote:
>Steve, it sound like you network is fully switched - a sniffer is this
>environment would display the symptoms you're describing (in switched
>networks, traffic is segregated, and you won't see the whole network).
>Try moving your sensor to a network choke point, like the internal interface
>on a gateway switch or router. You still won't see all the traffic on your
>network (purely internal traffic will remain segregated), but you will see
>aggregate traffic entering and leaving your network.
> - Bob
In addition, most switch manufacturers havea command for port mirroring or
monitoring. In Cisco terminology, this is called a SPAN port. Check out the
documentation for your switches to find out how do this, then set up a port
and hook the snort box into it.
UCSB Extended Learning Services
More information about the Snort-users