Snort mailing list archives
Re: Local scan only
From: Matt Kettler <mkettler () evi-inc com>
Date: Sat, 07 Sep 2002 14:29:01 -0400
As for snort.conf:make sure HOME_NET is set correctly with the correct CIDR style netmask. Most snort rules ignore traffic which is not destined to a machine in that range. For example 192.168.1.0/24 will match all IPs in the 192.168.1.* range, but 192.168.1.1/32 will only match the single IP 192.168.1.1.
For hardware:Are you sure your hub is truly passive? (ie: "automatic dual speed hubs" contain a switch). try getting windump and seeing if your nic really is seeing the packets. It uses the same winpcap interface that snort for windows will use.
Windump's homepage (referred from http://www.tcpdump.org/wpcap.html) is: http://windump.polito.it/ At 06:22 PM 9/6/2002 -0700, rick bohaty wrote:
I have snort 1.8.7win32.exe installed on W2K pro. When I start the scan only traffic from the snort pc shows up. Traffic from all other pcs on the segment (hub) doesn't. Do I need to enter the subnet somewhere in the snort.conf or command line?
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Local scan only rick bohaty (Sep 06)
- Re: Local scan only Matt Kettler (Sep 07)