[Snort-users] Snort doesn't appear to be looking at everythin g on our network

Robby Desmond rdesmond at ...6547...
Wed Oct 23 12:20:08 EDT 2002


At 02:13 PM 10/22/02 -0700, Bob Dehnhardt wrote:
>Steve, it sound like you network is fully switched - a sniffer is this
>environment would display the symptoms you're describing (in switched
>networks, traffic is segregated, and you won't see the whole network).
>
>Try moving your sensor to a network choke point, like the internal interface
>on a gateway switch or router. You still won't see all the traffic on your
>network (purely internal traffic will remain segregated), but you will see
>aggregate traffic entering and leaving your network.
>
>  - Bob

In addition, most switch manufacturers havea command for port mirroring or 
monitoring. In Cisco terminology, this is called a SPAN port. Check out the 
documentation for your switches to find out how do this, then set up a port 
and hook the snort box into it.

-Robby

Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906





More information about the Snort-users mailing list