RE: Help!!!

["Schmehl, Paul L" <pauls () utdallas edu>]

Never forget, the packets must *pass* the sniffer interface for it to
report any alerts.  If you're doing a Nessus scan from box A to box B
like this:
 
A ------------>> B ----------->> C
                             |
                             |
                         snort
 
 snort will never see it.
 
If you're doing it like this:
 
A------------->> B
        |
        |
     snort
 
Then snort will see it.  *If* you have all your devices plugged in to a
hub *and* you are *certain* that it's not really a switch, then snort
should see anything on that hub, but that's a big if these days.  I've
seen many "hubs" at the local computer store that are really switches
when you read the specs.
 

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

        -----Original Message-----
        From: Brandon Hanks [mailto:hanksbc () knology net] 
        Sent: Friday, August 01, 2003 2:32 PM
        To: snort-users () lists sourceforge net
        Subject: [Snort-users] Help!!!
        
        
        I used Patrick S. Harper's install guide, Snort, Apache, PHP,
MySQL, ACID on Redhat 9.0 Installation Guide
<http://www.snort.org/docs/snort_acid_rh9.pdf>  , without any problems.
Here is my problem: When I perform a Nessus audit on a machine on my
local network, Snort does not log any intrusion detection activity.
But, when I direct the Nessus audit directly at the box running Snort,
the log files are generated and can be viewed using Acid.  In my
snort.conf file, I defined my local network as 192.168.0.0/24, which
covers a small windows environment.  BTW, using Snort 2.0.  The Snort
box is located on my local network at 192.168.0.198.  Why does it not
register,log, or recognize attacks directed at machines within its local
network?  Any help will be greatly appreciated...Thanks