RE: Snort with Acid : Network

["McCammon, Keith" <Keith.McCammon () eadvancemed com>]

> All the switch are in cascade form. one switch is connected 
> to other, there
> is no vlan configured.
>
> There are 3 switch ports 24 each, all the machine are 
> connected with to
> unstructured or unorganized ip address..
> Which includes router, which is in one of the switch, the 
> linux box with
> snort is in suppose A Switch.
>
> And my snort box, is not detecting portscan, from one machine 
> to another,
> which is in same switch
>
> I think i have to place the snort in proper place, but i am 
> not able to
> figure out where ??

Remember that the great advantage to switching is that address tables are maintained on each device, which allows 
traffic to be sent directly to the destination if it is known, as opposed to being broadcast to every connected node.  
If a host on switch C needs to contact another host on switch C, there is no reason to send a copy of the traffic to 
switch A.

Unless all three switches can be configured to send a copy of all traffic from every port on every switch (pretty nuts, 
actually) to the single port to which your sensor is connected, then you will not be able to see such traffic.  This is 
what host-based IDS are for...





-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users