[Snort-users] Snort not seeing everything
larskman at ...11827...
Wed Jun 14 15:56:51 EDT 2006
Ok, im on site now and I found the problem.
The network is configure like below:
And the proble was someone had the tap on the a server and not the inside
Problem solved and I am seeing all traffic now.
On 6/14/06, fname lname <larskman at ...11827...> wrote:
> The tap is tapping into the wire that is leaving the inside port of the
> pix. For the pix it goes to the tap and out of the tap it goes to the
> The switch are not smart switches so that is why i am using a tap.
> On 6/14/06, Stephen John Smoogen <smooge at ...11827...> wrote:
> > On 6/14/06, Eric Hines <eric.hines at ...8860...> wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > This doesn't look right. Why would you install a Tap, then hang the
> > > Snort sensor off the switch? The purpose of the tap is to tap in to
> > the
> > > network and replace span ports on your switch. The Snort sensor is
> > > supposed to be hanging off the monitoring port of the Tap.
> > >
> > I do not see where he is putting the snort sensor on the switch. The
> > IDS seems to stay in the same spot.. the last jump out/first jump in.
> > --
> > Stephen J Smoogen.
> > CSIRT/Linux System Administrator
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users