[Snort-users] Sensor location

Michael Boman michael.boman at ...11827...
Fri Nov 19 23:12:20 EST 2004

On Tue, 9 Nov 2004 13:28:10 -0600, César Sanabria <cesanpin at ...11827...> wrote:
> Hi, i'm having troubles detecting traffic, my network is more or less:
>               DMZ
>                |                                |------- LAN 1  (segment 191.168.1.x)
> INTERNET ---- GW --(1)---GW-- |-------- LAN 2 (segment 191.168.2.x)
>                   segement X           |                .
>                                                 |               .
>                                                 |------- LAN N (segment 191.168.n.x)
> I put my sensor on (1) a segment x (192.x.x.x) and i would like to
> catch all traffic from every LAN (segment), but i'm not logging all
> alerts, i mean, suppously i'm on the fist segment and i ping a server
> on the DMZ i can't see the traffic neither in sniffer mode, so the
> question is:
> Why i'm not logging alerts from other segments that aren't in the same
> segment where i put my sensor?.. What can i do to log alerts?

Snort, as well as all other NIDS software, are more dependent on
actuall hardware setup of the network then the logical design. You
have not told us how you get your snort to collect data
(hub/switch/tap/inline) and how the segments you want to monitor is
connected to the network.

If you are using switches in your network you must make sure that they
support SPAN port or mirror ports (each vendor seems to invent their
own word for it). If you are using hubs, make sure that they are true
hubs and not switching hubs (if it says "10/100 Mbit hub" on the box
it's almost for certain a switching hub).

Please let us know the physical setup of your network and we can help
you troubleshoot your problem.

Best regards
 Michael Boman

