RE: Snort doesn't appear to be looking at everythin g on our network

[Robby Desmond <rdesmond () els ucsb edu>]

At 02:13 PM 10/22/02 -0700, Bob Dehnhardt wrote:
> Steve, it sound like you network is fully switched - a sniffer is this
> environment would display the symptoms you're describing (in switched
> networks, traffic is segregated, and you won't see the whole network).
>
> Try moving your sensor to a network choke point, like the internal interface
> on a gateway switch or router. You still won't see all the traffic on your
> network (purely internal traffic will remain segregated), but you will see
> aggregate traffic entering and leaving your network.
>
>  - Bob

In addition, most switch manufacturers havea command for port mirroring or 
monitoring. In Cisco terminology, this is called a SPAN port. Check out the 
documentation for your switches to find out how do this, then set up a port 
and hook the snort box into it.

-Robby

Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906



-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users