[Snort-users] monitoring only occuring on snort host
mkettler at ...4108...
Tue Feb 3 09:37:12 EST 2004
At 06:22 PM 2/2/2004, Ted Iglehart wrote:
>I appear to have everything configured correctly with my home network set
>However, I only appear to be catching events that are actually hitting the
>snort box and not the subnet as a whole?
What kind of network device is the snort box plugged into?
Most modern 10/100 ethernets are using switches, or "auto-switching hubs".
Snort cannot sniff a packet which does not appear on the wire connected to
it. Switches inherently limit which ports they forward packets to in order
to reduce network congestion.
If you want to sniff all traffic, you have three main options for hookup
1) get a truly passive hub. However, most of these are straight
10mbit and can present a bottleneck. However, if you're sniffing an
ethernet feeding a cablemodem, t1, or some low-bandwidth point in your
network, this isn't a big deal.
2) get a good managed network switch which has mirror port
capabilities (also called span port by some mfg's). These can be a bit
3) use a network tap. Most of these are a fully passive and thus
bit tricky to configure, but are one of the least "line disruptive"
measures. The big advantage is you don't have an extra switch that can fail
and take out your connection. Can be home-made, or bought. Depending on
speed and features these can be inexpensive to a bit expensive.
More information about the Snort-users