[Snort-users] Snort not seeing everything

fname lname larskman at ...11827...
Wed Jun 14 15:56:51 EDT 2006


Ok, im on site now and I found the problem.

The network is configure like below:

INTERNET---pix---TAP---switch1---switch3
                             |          |
                           IDS   switch2

And the proble was someone had the tap on the a server and not the inside
pix.

lol

Problem solved and I am seeing all traffic now.

Thanks!

On 6/14/06, fname lname <larskman at ...11827...> wrote:
>
> The tap is tapping into the wire that is leaving the inside port of the
> pix.  For the pix it goes to the tap and out of the tap it goes to the
> switch.
>
> The switch are not smart switches so that is why i am using a tap.
>
> On 6/14/06, Stephen John Smoogen <smooge at ...11827...> wrote:
>
> > On 6/14/06, Eric Hines <eric.hines at ...8860...> wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > This doesn't look right. Why would you install a Tap, then hang the
> > > Snort sensor off the switch? The purpose of the tap is to tap in to
> > the
> > > network and replace span ports on your switch. The Snort sensor is
> > > supposed to be hanging off the monitoring port of the Tap.
> > >
> >
> > I do not see where he is putting the snort sensor on the switch. The
> > IDS seems to stay in the same spot.. the last jump out/first jump in.
> >
> > --
> > Stephen J Smoogen.
> > CSIRT/Linux System Administrator
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060614/8e6c5c36/attachment.html>


More information about the Snort-users mailing list