[Snort-users] Snort not seeing everything

Stephen John Smoogen smooge at ...11827...
Wed Jun 14 10:04:28 EDT 2006


On 6/14/06, fname lname <larskman at ...11827...> wrote:
> Our office resently moved to a new location and now my snort not seeing
> everything so it must be something I didnt setup right.
>
> They way I have it setup is right off of the pix inside cable its going to a
> passive tap that i build from the docs on snorts site from there its going
> to the networks switch.  From that we have a few servers plugged in and
> another switch where a few more servers are and the lastly another switch
> where the workstations are plugged into.
>

What are you wanting the IDS to see? At this point your IDS will see
all Internet traffic. If you are wanting to see traffic from boxes on
switch1 to switch 2 etc.. you would need either more TAPs or a
different switch mechanism.

 INTERNET---pix---TAP0---switch1----TAP1---switch2
                              |            |
                              |          TAP2
                              |            |
                            IDS     switch3


TAP1 and TAP2 would then see inter switch traffic but not intra switch
traffic. In those cases you would want to take a big hit in
performance and either use a HUB or make your switch into a 'smart'
hub by having one port mirror/duplicate all traffic so it feeds to the
IDS(s).


-- 
Stephen J Smoogen.
CSIRT/Linux System Administrator




More information about the Snort-users mailing list