[Snort-users] monitoring only occuring on snort host

Matt Kettler mkettler at ...4108...
Tue Feb 3 09:37:12 EST 2004


At 06:22 PM 2/2/2004, Ted Iglehart wrote:
>I appear to have everything configured correctly with my home network set 
>to x.x.x.x/24
>
>However, I only appear to be catching events that are actually hitting the 
>snort box and not the subnet as a whole?

What kind of network device is the snort box plugged into?

Most modern 10/100 ethernets are using switches, or "auto-switching hubs".

Snort cannot sniff a packet which does not appear on the wire connected to 
it. Switches inherently limit which ports they forward packets to in order 
to reduce network congestion.

If you want to sniff all traffic, you have three main options for hookup 
hardware:

         1) get a truly passive hub. However, most of these are straight 
10mbit and can present a bottleneck. However, if you're sniffing an 
ethernet feeding a cablemodem, t1, or some low-bandwidth point in your 
network, this isn't a big deal.

         2) get a good managed network switch which has mirror port 
capabilities (also called span port by some mfg's). These can be a bit 
expensive.

         3) use a network tap.  Most of these are a fully passive and thus 
bit tricky to configure, but are one of the least "line disruptive" 
measures. The big advantage is you don't have an extra switch that can fail 
and take out your connection. Can be home-made, or bought. Depending on 
speed and features these can be inexpensive to a bit expensive.






More information about the Snort-users mailing list