[Snort-users] Snort Newbie

jzorzi at ...13110... jzorzi at ...13110...
Thu Mar 3 11:44:45 EST 2005


Thanx for your response, I have another question now.

How is it possible that snort is monitoring communication between 2 machines
that are on a different subnet then the snort machine.

The machine running snort is on the 192.168.255.0/24 network but in the log
analysis I see these entries
 attacks  from              to                method
=========================================================================
   47     192.168.0.97      192.168.0.103      SNMP request udp   {UDP}
   44     192.168.0.97      192.168.0.103      SNMP public access udp
{UDP}
   44     192.168.0.97      192.168.0.104      SNMP public access udp
{UDP}
   44     192.168.0.97      192.168.0.104      SNMP request udp   {UDP}

My HOME_NET  is setup as follows
var HOME_NET [192.168.255.0/24,192.168.0.0/24,192.168.3.0/24,192.168.4.0/24]

The EXTERNAL_NET was setup as follows (until I received your email) var
EXTERNAL_NET any

Now due to significant changes being applied to the network structure all
the machines are not physically separated via cables and switches but the
ips still need to go through the routers in place.  What I mean is that the
physical network structure is setup to be one complete entity with no vlans,
no physical wire separation.  During this period of change though the ip
subnets still exist.  Which means that there are routers in place to route
the ip traffic appropriately.  The switches aren't configured with any
vlans, no monitoring ports and stp(Spanning Tree Protocol) is turned on for
all switches except for the switch that the snort server resides on.  The
switches are cisco catalyst switches.  The program used to generate the
result set was "snort_stat" retrieved from the snort.org website.

Give this information how is the above result set possible?
Does snort proactively monitor all communication on the network, meaning
does snort monitor traffic that isn't destined for the machine it runs on?

Thanx in advance for your help.  I'm a snort newbie and just trying to
figure out how to configure and understand how snort works. 
 

Jay Zorzi
Systems Administrator, Information Technology

MarketLink Solutions
see further. achieve more.

e - jzorzi at ...13110...
t - 416.260.2800 x299
f - 416.260.2893 





More information about the Snort-users mailing list