[Snort-users] snort-users at lists.sourceforge.net
mkettler at ...4108...
Tue Dec 9 15:36:02 EST 2003
At 06:18 PM 12/9/2003, sama at ...10714... wrote:
>I've installed Snort 2.0.5 perfectly on a Debian box. This machine is on a
>LAN that has a Firewall/Nat box. My question is: How could I set up the snort
>box to sensor the LAN behind the firewall/nat ? I put HOME_NET var to the
>address of the internal network but, when I tried to scan anothe machine on
>this network, the snort didn't get the scan.
Your LAN is likely switched. In this case, you need to do something to make
your snort system see all traffic traversing the switch. By definition,
switches only send ethernet packets to hosts that need them, not every host
in the entire LAN.
On higher-end (managed) switches this can be done by configuring them with
a mirror port. The mirror port gets copies of every packet traversing the
switch (it does however miss some on a very busy switch.. just by the
nature of trying to monitor more traffic than can pass through the mirror
Lower end switches (unmanaged ones) don't support anything of this sort.
Your only option here is to try to basically break the switch into being a
hub using macof to flood its MAC tables.. However, this has serious
performance impact, and I wouldn't recomend it in a production environment.
More information about the Snort-users