Snort mailing list archives
RE: seeing whol subnet
From: Matt Yackley <Matt.Yackley () perkinswill com>
Date: Wed, 18 Dec 2002 10:45:12 -0600
David, if your Snort box is plugged into a switch you won't see other traffic unless the switch has some type of port mirroring / spanning, configured. Try running tcpdump and see if you see traffic for other hosts, well other than broadcast traffic anyway. Matt -----Original Message----- From: David Bear [mailto:David.Bear () asu edu] Sent: Wednesday, December 18, 2002 10:30 AM To: snort-users Subject: [Snort-users] seeing whol subnet I would like snort to 'see'/'report' on hosts in the whole subnet. I have set my HOME_NET vary to any, and well as trying vx0_ADDRESS and different combinations of the ip/add/subnet (in CIDR block notation). When snort does alert, it only alerts on attacks directed to the host it is running on, ie it does not alert on when any other host is attacked. I am runing on freebsd 4.6.2. While I don't control the wiring and network switches I am reasonaly certain this is a standard 10/mbt shared ethernet port -- so all hosts should be visible. Are there any other config parameters that I am just missing? (I have enabled ALL rules to alert -- even the icmp rule that seem to generate a lot of alert -- still all quiet. I'm not quite ready to believe that my subnet is this quiet... -- David Bear College of Public Programs/ASU Mail Code 0803 ------------------------------------------------------- This SF.NET email is sponsored by: Order your Holiday Geek Presents Now! Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap, MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: Order your Holiday Geek Presents Now! Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap, MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- seeing whol subnet David Bear (Dec 18)
- <Possible follow-ups>
- RE: seeing whol subnet Matt Yackley (Dec 18)
- RE: seeing whol subnet Semerjian, Ohanes (Dec 21)