Snort mailing list archives
RE: Clueless in Toronto
From: "Rich Stryker" <rstryker () virtuallearning net>
Date: Wed, 18 Dec 2002 13:42:43 -0500
Great Thanks Keith! Got it. I understand now why that is. Switches will broadcast only once until they know which port to send traffic out of. This would mean I would miss just about everything except for the broadcasts and multicasts. Whereas a hub is in constant broadcast mode since it shouldn't have the ability to have a MAC table...right? Assuming I am correct can you or anyone else now help me with SNORTSNARF? When I followed the instructions from Silicon Defense, for installing SNORT on a W2K machine with IIS, SNORT created an alert.ids file. I setup SNORT to run as a service but I didn't get anything, no logs etc. When SNORT runs from the command line it doesn't write to the alert.ids but creates sub folders for every IP address it finds, which I have read to mean that is the default setting. Any suggestions on how I can get the logs to be put into the alert.ids and thereby allowing me to get SNORTSNARF to work? -----Original Message----- From: Knight, Ric [mailto:RKnight () TUC ca] Sent: Wednesday, December 18, 2002 1:28 PM To: Rich Stryker Subject: RE: [Snort-users] Clueless in Toronto Importance: Low Rich, If you only have dumb switches, then get a hub. Force all traffic you want to monitor through the hub. You only need one interface on the SNORT box to monitor traffic. If you want to use switches, you need to enable port spanning so that one switch port receives att the traffic on the switch and then plug snort into that port. Crude text diagram... Snort || \/ Router <----> Hub <-------> firewall =-=-=-=-=-=-=-=-=-=- Ric Knight Network Engineer TransUnion Canada 170 Jackson St. E. Hamilton Ontario, L8N 1L4 (905) 525-9013 x6212 -----Original Message----- From: Rich Stryker [mailto:rstryker () virtuallearning net] Sent: December 18, 2002 11:32 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Clueless in Toronto Hi, I have installed SNORT 1.8x on a W2K Server. No service packs as yet because i am just testing the waters with it. There are 2 NICs. I can seem to figure out how to implement it now that it is running. I figure I will put it behind my firewall. But how do i force traffic to go through one NIC on the server and out through the other? Do i even need to do this, is one NIC enough to perform NIDS? I had SNORT doing sniffing but it only tracked the local computer's traffic and nothing else. I have SNORTSNARF installed to see the reports but when I seem to have SNORT running I can't find the log files. I want SNORT setup for NIDS. All help is greatly appreciated. Thanks, Rich ------------------------------------------------------- This SF.NET email is sponsored by: Order your Holiday Geek Presents Now! Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap, MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Clueless in Toronto Rich Stryker (Dec 18)
- <Possible follow-ups>
- RE: Clueless in Toronto Rich Stryker (Dec 18)
- RE: Clueless in Toronto Rich Stryker (Dec 19)
- RE: Clueless in Toronto Rich Stryker (Dec 19)