[Snort-users] New guy.

Erek Adams erek at ...950...
Tue Apr 8 07:18:06 EDT 2003


On Mon, 7 Apr 2003, Mike wrote:

> Just signed up for this ML. Don't know about any rules or guide lines so
> bear with me. Anyways, I'm pretty new to both Linux and Snort (keeping an
> eye on HoneyD as well) and I guess my first question is kinda stupid:

Well....  There aren't any offical rules or guidelines for the list.  I
put together two documents that might help...  :)  The first is a 'How to
get a Useful Answer' text [0], and the second--Well, just read it [1].
;-)


> If I would like to monitor the activity on a network with all computers on
> the same subnet (the gateway is a firewall to the Internet). How would I set
> up Snort? On what computer can I run it to be able to listen to all traffic?
>
> I set up a test Snort but it would only see the traffic to the machine on
> which I ran it.

As others have said, that's perfectly normal depending on your setup.  The
short answer is:  You need a tap, a 'dumb' hub, or a switch with a
monitoring port.  Otherwise, you won't see anything except traffic
destined for that box or broadcast traffic.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://marc.theaimsgroup.com/?l=snort-users&m=104230179003344&w=2
[1]	http://www.theadamsfamily.net/~erek/snort/drinking_game.txt




More information about the Snort-users mailing list