Re: Snort stopped sniffing on hub

[Chris Green <cmg () uab edu>]

"Cody Hatch" <cody () hatch-house net> writes:

> First of all, I can't find an answer to this question anywhere, so
> hopefully someone here can help me.  I've got Snort on a hub located
> outside my firewall.  It's sniffing all traffic to and from my firewall
> (my internal network is behind my firewall).  My Snort box does not have
> a firewall, so my problem isn't that.  For a while, Snort worked fine,
> sniffing all traffic on the hub, then it started only logging traffic
> destined or from the box Snort is running on.  I've got the variable
> HOME_NET set to any, I've set it to my subnet (xxx.xxx.xxx.0/24), I've
> tried everything.  I'm having Snort log to MySQL, and here are the
> arguments being given:
>
> snort -o -b -i eth0 -D -l /var/log/snort -c /etc/snort/snort.conf
>
> I can't think of what my problem is.  Why would it work just fine, and
> then one day start sniffing only traffic to and from its own box?  Any
> ideas?

It sounds very much like you are running into 10/100 psuedo hub
problems with media mismatch between machines.  Try forcing all your
nics to either 10 or 100
-- 
Chris Green <cmg () uab edu>
Let not the sands of time get in your lunch.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users