[Snort-users] snort-users at lists.sourceforge.net

Matt Kettler mkettler at ...4108...
Tue Dec 9 15:36:02 EST 2003


At 06:18 PM 12/9/2003, sama at ...10714... wrote:
>I've installed Snort 2.0.5 perfectly on a Debian box. This machine is on a
>LAN that has a Firewall/Nat box. My question is: How could I set up the snort
>box to sensor the LAN behind the firewall/nat ? I put HOME_NET var to the
>address of the internal network but, when I tried to scan anothe machine on
>this network, the snort didn't get the scan.

Your LAN is likely switched. In this case, you need to do something to make 
your snort system see all traffic traversing the switch. By definition, 
switches only send ethernet packets to hosts that need them, not every host 
in the entire LAN.

On higher-end (managed) switches this can be done by configuring them with 
a mirror port. The mirror port gets copies of every packet traversing the 
switch (it does however miss some on a very busy switch.. just by the 
nature of trying to monitor more traffic than can pass through the mirror 
port).

Lower end switches (unmanaged ones) don't support anything of this sort. 
Your only option here is to try to basically break the switch into being a 
hub using macof to flood its MAC tables.. However, this has serious 
performance impact, and I wouldn't recomend it in a production environment.









More information about the Snort-users mailing list