[Snort-users] does snort detect !

Matt Kettler mkettler at ...4108...
Fri Nov 14 09:11:13 EST 2003


At 07:14 AM 11/14/2003, Rahul wrote:
>Does snort detect intrusion of other machine(i.e X machine which is try to
>attack by someone) that belong to same network where snort runs. if so how
>to test the same.
>Any help would be greatly appriciated.

Snort monitors the network in promiscuous mode.. anything that comes by 
it's ethernet port, wether addressed to the snort box or not, will be 
analyzed. However, if you're using ethernet switches, the very nature of a 
switch will prevent the snort box from seeing traffic to other machines 
unless you configure a mirror port, or add a tap somewhere.

In general the snort rules are set up to monitor for attacks coming from 
any machine in EXTERNAL_NET going to any machine in HOME_NET. For debugging 
purposes setting both of these to "any" is a good starting point..

So, provided your connection is right, and your variables are set right, 
snort should monitor for attacks on other machines in your network.






More information about the Snort-users mailing list