[Snort-users] New guy.
erek at ...950...
Tue Apr 8 07:18:06 EDT 2003
On Mon, 7 Apr 2003, Mike wrote:
> Just signed up for this ML. Don't know about any rules or guide lines so
> bear with me. Anyways, I'm pretty new to both Linux and Snort (keeping an
> eye on HoneyD as well) and I guess my first question is kinda stupid:
Well.... There aren't any offical rules or guidelines for the list. I
put together two documents that might help... :) The first is a 'How to
get a Useful Answer' text , and the second--Well, just read it .
> If I would like to monitor the activity on a network with all computers on
> the same subnet (the gateway is a firewall to the Internet). How would I set
> up Snort? On what computer can I run it to be able to listen to all traffic?
> I set up a test Snort but it would only see the traffic to the machine on
> which I ran it.
As others have said, that's perfectly normal depending on your setup. The
short answer is: You need a tap, a 'dumb' hub, or a switch with a
monitoring port. Otherwise, you won't see anything except traffic
destined for that box or broadcast traffic.
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users