[Snort-users] Will only detect server IP

Matt Kettler mkettler at ...4108...
Fri Aug 27 08:22:02 EDT 2004


At 05:18 PM 8/26/2004, Don Hammer wrote:
>I am running snort on RedHat 9.0. It is collecting and reporting alerts, but
>only alerts to of from the IP address of the server snort in running on. I
>have another system that is on the same hub and snort will not detect any
>alerts from that system. Any ideas?

Are your sure your hub is really a true hub?

If it's 10/100 dual speed, it may be more like a switch than a hub. Some of 
these act like half-duplex switches, some act like a 10mbit hub and a 
100mbit hub connected by a 2-port switch (aka bridge). All must have some 
form of switch-like behavior, as it's impossible to act like a pure passive 
hub and suppor both speeds. (Any 10/100 dual speed hub trying to be purely 
passive with no switching would be bandwidth limited to 10mbit.)

Try firing up tcpdump or etherreal to see if the traffic of interest ever 
gets to your snort box.






More information about the Snort-users mailing list