Re: FW: Sending Alert Via E-mail

[John Sage <jsage () finchhaven com>]

Fadzly:

Fadzly Zainuddin wrote:

> Dear Friend,
>
> I'm connecting my Snort IDS machine together my mail server in the same hub.


So the IDS and the mail server are two different boxes, conncected 
through the hub?


> I just wonder why my IDS could not detect anything when I scan my mail
> server port. When I scan IDS machine port , my IDS able to detect. I send a
> port scanning request from external PC. Theoretically when I scan my mail
> server, my IDS machine should receive a same thing because hub will
> broadcast right?


If I understand the topology, no.

I don't remember the details (the brands..), but it's been discussed 
that a "hub" is often functionally a switch; in other words, no, some 
hubs do not broadcast any packet received out all other ports.

Sorry I don't remember which brands/models are like this...

> Am I correct or I need the specified a special command.
> Current my command is 
>
> ./snort -dev -l ./log -h xxx.xxx.xxx.0/24 -c snort.conf


I don't think this has anything to do with it, unless you can verify 
that the hub you're using *does* pass all packets received out all ports.

In that case it may have something to do with your home network 
definition, and the way the rule sets you are using are affected by the 
home network...

..but I'm betting it's the "hub".

HTH..

- John




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users