[Snort-users] Enable Snort To Detect NIDS

Erek Adams erek at ...950...
Wed Jan 8 09:01:09 EST 2003


On Wed, 8 Jan 2003, Pathmenanthan Ramakrishna wrote:

> im using snort version 1.9.when i start the snortd deamon it enables the
> snort and captures data that direct to the server.
>
> how to enable the snort to capture the entire LAN traffic? currently
> when i perform an attack to the host(where snort running)i can see
> values at the ACID Console.
>
> what if when the snort is running,i want it to detect other host
> activities as well.
>
> how do i do that?

If you are on a switch, setup 'port mirroring' or if a Cisco switch a
'SPAN port'.  If on a hub, make sure it's not 'autosensing 10/100' and
just a 'dumb hub' (FAQ 6.21 [0]).  Otherwise, use a pair of 'ethernet
taps'.

Check out the docs under 'IDS Deployment Guides' [1].  It's really amazing
what you can find if you look.

Oh, and take a penalty drink.  ;-)

-----
Erek Adams

   "When things get wierd, the wierd turn pro."   H.S. Thompson


[0]	http://www.snort.org/docs/faq.html#6.21
[1]	http://www.snort.org/docs/#deploy




More information about the Snort-users mailing list