[Snort-users] Issue with Wireless Monitoring

Alan Ptak alan.ptak at ...11827...
Fri Apr 2 17:22:57 EDT 2010


Hi Paul,

Since snort is able to see traffic on the interface, the next place I would
look is the variables for HOME_NET and EXTERNAL_NET, and at the rule itself.

HTH .. Alan

On Thu, Apr 1, 2010 at 10:09 AM, Paul K <paulk33243 at ...11827...> wrote:

> Anyone have a good, recent link or article on completely setting up Snort
> for a wireless network?
>
> Here is my issue:
> - Using wlan0 (Atheros card) on a laptop and Snort starts just fine on the
> system, so no issues there.
> - Created a simple rule to look for nocase "google" - works like a champ on
> the local system
> - Above rule does not work to monitor other traffic on the same WAP as the
> laptop.
> - snort -v -d -i wlan0 will see the full packet captures from the other
> systems, including the full request to google and displays the google packet
> captures
> - However, no alerts are generated from the above connection to google on a
> different system
> - Can create a rule looking for traffic to/from another system's IP address
> and snort will capture and alert on traffic to/from the system.
>
> So basically, 'snort -v -d -i wlan0' will see all traffic from all systems
> on the WAP, a rule looking for traffic to/from a system on the WAP will
> trigger; however, Snort will not alert on content from other systems on the
> WAP...
>
> Am I missing something really trivial here, or is there a trick to getting
> wireless monitoring going?
>
> Thanks,
> Paul
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Alan Ptak
alan.ptak at ...11827...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100402/9a06cbf4/attachment.html>


More information about the Snort-users mailing list