RE: Clueless in Toronto

["Rich Stryker" <rstryker () virtuallearning net>]

Great Thanks Keith!

Got it. I understand now why that is. Switches will broadcast only once until they know which port to send traffic out 
of. 
This would mean I would miss just about everything except for the broadcasts and multicasts. Whereas a hub is in 
constant broadcast mode since it shouldn't have the ability to have a MAC table...right?

Assuming I am correct can you or anyone else now help me with SNORTSNARF? When I followed the instructions from Silicon 
Defense, for installing SNORT on a W2K machine with IIS, SNORT created an alert.ids file. I setup SNORT to run as a 
service but I didn't get anything, no logs etc. When SNORT runs from the command line it doesn't write to the alert.ids 
but creates sub folders for every IP address it finds, which I have read to mean that is the default setting.

Any suggestions on how I can get the logs to be put into the alert.ids and thereby allowing me to get SNORTSNARF to 
work?

-----Original Message-----
From: Knight, Ric [mailto:RKnight () TUC ca]
Sent: Wednesday, December 18, 2002 1:28 PM
To: Rich Stryker
Subject: RE: [Snort-users] Clueless in Toronto
Importance: Low


Rich, 

If you only have dumb switches, then get a hub. Force all traffic you want
to monitor through the hub. You only need one interface on the SNORT box to
monitor traffic. If you want to use switches, you need to enable port
spanning so that one switch port receives att the traffic on the switch and
then plug snort into that port.

Crude text diagram...
                   
              Snort
               ||
               \/
Router <----> Hub <-------> firewall

=-=-=-=-=-=-=-=-=-=-
Ric Knight
Network Engineer
TransUnion Canada
170 Jackson St. E. 
Hamilton Ontario, L8N 1L4
(905) 525-9013 x6212



-----Original Message-----
From: Rich Stryker [mailto:rstryker () virtuallearning net]
Sent: December 18, 2002 11:32 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Clueless in Toronto


Hi,

I have installed SNORT 1.8x on a W2K Server. No service packs as yet because
i am just testing the waters with it. There are 2 NICs. 

I can seem to figure out how to implement it now that it is running. I
figure I will put it behind my firewall. But how do i force traffic to go
through one NIC on the server and out through the other? Do i even need to
do this, is one NIC enough to perform NIDS? I had SNORT doing sniffing but
it only tracked the local computer's traffic and nothing else. 

I have SNORTSNARF installed to see the reports but when I seem to have SNORT
running I can't find the log files. I want SNORT setup for NIDS.

All help is greatly appreciated.

Thanks,

Rich


-------------------------------------------------------
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players,  XBox Games,  Flying Saucers,  WebCams,  Smart Putty.
T H I N K G E E K . C O M       http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users