[Snort-users] Snort not seeing traffic

Pratik Narang pratik.cse.bits at ...11827...
Wed Aug 29 05:24:25 EDT 2012


On Tue, Aug 28, 2012 at 8:25 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
> Ok.. and the machines connect to the internet how?  Through a router?

The machines connect through a switch which in turns connects to the
border router.

> All 4 devices are plugged into the same switch and you are
> spanning/monitoring the right port on the switch?

"right port"?? not clear to me...

Can you see the
> traffic with TCPDump?
As I said, I did a run with Wireshark too (in promiscuous mode) but
did not see the traffic.

If I am not wrong, the simple mistake is that I am connected via a
switch, and so, all the network traffic is not visible at my
interface.

>
> On Tue, Aug 28, 2012 at 4:01 AM, Pratik Narang
> <pratik.cse.bits at ...11827...> wrote:
>> It is in Bridged mode.
>>
>> On Mon, Aug 27, 2012 at 7:26 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
>>> How is the interfact between the VM gues and host setup?  Private LAN?
>>>  NAT?  Bridged?
>>>
>>> On Mon, Aug 27, 2012 at 6:01 AM, Pratik Narang
>>> <pratik.cse.bits at ...11827...> wrote:
>>>> I have three machines on my test bed- A, B and C. Snort runs on A.
>>>> B and C both have a VM running as well.
>>>> I am unable to understand why Snort is not seeing the traffic that is
>>>> flowing between machine B/VM on B/machine C/VM on C and the internet.
>>>>
>>>>  Snort.conf clearly says-
>>>> # Setup the network addresses you are protecting
>>>> ipvar HOME_NET [172.16.x0.0/24]
>>>>
>>>> # Set up the external network addresses. Leave as "any" in most situations
>>>> ipvar EXTERNAL_NET any
>>>>
>>>> I tried doing packet captures in promiscuous mode on A. Even Wireshark
>>>> doesn't see that traffic from those machines to the internet. So it
>>>> doesn't seem to be any problem with Snort but with my settings.
>>>>
>>>> What am I doing wrong?
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Live Security Virtual Conference
>>>> Exclusive live event will cover all the ways today's security and
>>>> threat landscape has changed and how IT managers can respond. Discussions
>>>> will include endpoint security, mobile security and the latest in malware
>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list