Re: Logging Issue

["John D. Caine" <john () valuenetuk com>]

I've answered my own question:

    When you run snort without any options it defaults to running in
promiscuous mode. When you specify the -D option it doesn't. Evidently the
network I'm on isn't as 'switched' as it should be.

John.

----- Original Message -----
From: "John D. Caine" <john () valuenetuk com>
To: <snort-users () lists sourceforge net>
Sent: Tuesday, December 10, 2002 12:44 PM
Subject: [Snort-users] Logging Issue


Hello,

    I've got Snort running and it's logging away quite happily. There is
something that makes me scratch my head though. How come it's catching stuff
thats not destined for my machine?

Here's a scan.log entry:

12/09-16:33:08.677905  ICMP src: 212.4.208.191 dst: 213.239.42.97 type: 8
code: 0 tgts: 8 event_id: 204

The dst IP isn't mine! Does Snort set your ethernet card to be
'promiscuous'? Even so I'm on a swicthed network. I'ts not just portscan
that does it it ops up in the normal log too. Does anybody know what causes
this or am I reading the logs incorrectly??

Thanks.

Regards, John.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users