[Snort-users] Local scan only

Matt Kettler mkettler at ...4108...
Sat Sep 7 11:29:04 EDT 2002


As for snort.conf:

make sure HOME_NET is set correctly with the correct CIDR style netmask. 
Most snort rules ignore traffic which is not destined to a machine in that 
range. For example 192.168.1.0/24 will match all IPs in the 192.168.1.* 
range, but 192.168.1.1/32 will only match the single IP 192.168.1.1.


For hardware:

Are you sure your hub is truly passive? (ie: "automatic dual speed hubs" 
contain a switch).
try getting windump and seeing if your nic really is seeing the packets. It 
uses the same winpcap interface that snort for windows will use.

Windump's homepage (referred from http://www.tcpdump.org/wpcap.html) is:

http://windump.polito.it/


At 06:22 PM 9/6/2002 -0700, rick bohaty wrote:
>I have snort 1.8.7win32.exe installed on W2K pro. When
>I start the scan only traffic from the snort pc shows
>up. Traffic from all other pcs on the segment (hub)
>doesn't. Do I need to enter the subnet somewhere in
>the snort.conf or command line?





More information about the Snort-users mailing list