[Snort-users] Snort not seeing everything
larskman at ...11827...
Wed Jun 14 10:32:06 EDT 2006
Oh, sorry I forgot to state my goal. My goal is to see all traffic comming
in and out of the network from the internet. So my tapping the first and
last route to the network off the pix I thought would do the job?
On 6/14/06, Stephen John Smoogen <smooge at ...11827...> wrote:
> On 6/14/06, fname lname <larskman at ...11827...> wrote:
> > Our office resently moved to a new location and now my snort not seeing
> > everything so it must be something I didnt setup right.
> > They way I have it setup is right off of the pix inside cable its going
> to a
> > passive tap that i build from the docs on snorts site from there its
> > to the networks switch. From that we have a few servers plugged in and
> > another switch where a few more servers are and the lastly another
> > where the workstations are plugged into.
> What are you wanting the IDS to see? At this point your IDS will see
> all Internet traffic. If you are wanting to see traffic from boxes on
> switch1 to switch 2 etc.. you would need either more TAPs or a
> different switch mechanism.
> | |
> | TAP2
> | |
> IDS switch3
> TAP1 and TAP2 would then see inter switch traffic but not intra switch
> traffic. In those cases you would want to take a big hit in
> performance and either use a HUB or make your switch into a 'smart'
> hub by having one port mirror/duplicate all traffic so it feeds to the
> Stephen J Smoogen.
> CSIRT/Linux System Administrator
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users