Snort mailing list archives
Re: Port mirroring settings for SNORT
From: Kevin Ross <kevross33 () googlemail com>
Date: Mon, 31 Mar 2014 14:32:47 +0100
If you want it to capture other traffic from other machines you have a few options: 1) You create a SPAN/Mirror port on your network switch to send traffic from a choke point on your network (i.e Internet link on inside interface of firewall) to the interface that your sensor is plugged into and then just sniff the interface (you should have 2 interfaces on your sensor at least. 1 for management with an IP address and the other for sniffing). You will a managed switch to do this (i.e a switch you can configure such as Cisco ones). Note depending on traffic levels if monitoring a lot of traffic you may have to consider things like interface tuning, using pfring, dedicated network cards etc with more being required the higher the levels of traffic you are looking at and the more intensive application inspection you are applying to it. I would also recommend using a minimal *nix OS. 2) You have Snort running inline to the traffic. This means you could also operate in IPS mode too depending on your configuration. You could also utilise something like PFSense - www.pfsense.org - firewall if in a home network (highly recommended) and then use the snort package in that to monitor your network and protect your internet link. If this is a SOHO type thing this may be more ideal for you if you are unsure and just want to see about getting detection although not so much if your aim is to learn a lot about Snort (which is a valuable thing to do). Hope that helps. Kevin Ross On 28 March 2014 18:31, basant subba <basantsubba () gmail com> wrote:
How do I set my SNORT configuration in promiscuous mode so that it captures packets from other machine in the network as well. Presently it is only monitoring the packets of my machine but I want it to capture packets from other devices in the network as well. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Port mirroring settings for SNORT basant subba (Mar 28)
- Re: Port mirroring settings for SNORT waldo kitty (Mar 28)
- Re: Port mirroring settings for SNORT Kevin Ross (Mar 31)