Snort mailing list archives
Re: Issue with Wireless Monitoring
From: Alan Ptak <alan.ptak () gmail com>
Date: Fri, 2 Apr 2010 14:22:57 -0700
Hi Paul, Since snort is able to see traffic on the interface, the next place I would look is the variables for HOME_NET and EXTERNAL_NET, and at the rule itself. HTH .. Alan On Thu, Apr 1, 2010 at 10:09 AM, Paul K <paulk33243 () gmail com> wrote:
Anyone have a good, recent link or article on completely setting up Snort for a wireless network? Here is my issue: - Using wlan0 (Atheros card) on a laptop and Snort starts just fine on the system, so no issues there. - Created a simple rule to look for nocase "google" - works like a champ on the local system - Above rule does not work to monitor other traffic on the same WAP as the laptop. - snort -v -d -i wlan0 will see the full packet captures from the other systems, including the full request to google and displays the google packet captures - However, no alerts are generated from the above connection to google on a different system - Can create a rule looking for traffic to/from another system's IP address and snort will capture and alert on traffic to/from the system. So basically, 'snort -v -d -i wlan0' will see all traffic from all systems on the WAP, a rule looking for traffic to/from a system on the WAP will trigger; however, Snort will not alert on content from other systems on the WAP... Am I missing something really trivial here, or is there a trick to getting wireless monitoring going? Thanks, Paul ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Alan Ptak alan.ptak () gmail com
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Issue with Wireless Monitoring Paul K (Apr 01)
- Re: Issue with Wireless Monitoring Alan Ptak (Apr 02)