Snort mailing list archives
RE: Snort doesn't appear to be looking at everythin g on our network
From: Bob Dehnhardt <bob.dehnhardt () trinet com>
Date: Tue, 22 Oct 2002 14:13:56 -0700
Steve, it sound like you network is fully switched - a sniffer is this environment would display the symptoms you're describing (in switched networks, traffic is segregated, and you won't see the whole network). Try moving your sensor to a network choke point, like the internal interface on a gateway switch or router. You still won't see all the traffic on your network (purely internal traffic will remain segregated), but you will see aggregate traffic entering and leaving your network. - Bob -----Original Message----- From: Steve Saunders [mailto:stevefs () randolphhospital org] Sent: Tuesday, October 22, 2002 9:00 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort doesn't appear to be looking at everything on our network Snort doesn't appear to be looking at everything on our network, I don't see any traffic except broadcast and traffic connecting to my pc. One of the rules I setup was to alert me when someone pings on our network, I don't receive any alerts unless my pc gets pinged. If I ping anything else it doesn't alert me. Even when I run snort as a packet sniffer, it never picks up anything except the broadcast. Is there something on our network that could be interfering with it, or am I doing something wrong? The command I use to run Snort is "snort -i2 -c c:\snort\rules.rules -l c:\snort\log", the rule I set in the rules.rules file states "alert icmp any any -> any any (msg: "possible ping attempt";). Thank you, Steve ------------------------------------------------------- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort doesn't appear to be looking at everythin g on our network Bob Dehnhardt (Oct 22)