Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Local scan only

From: Matt Kettler <mkettler () evi-inc com>
Date: Sat, 07 Sep 2002 14:29:01 -0400
As for snort.conf:
make sure HOME_NET is set correctly with the correct CIDR style netmask. Most snort rules ignore traffic which is not destined to a machine in that range. For example 192.168.1.0/24 will match all IPs in the 192.168.1.* range, but 192.168.1.1/32 will only match the single IP 192.168.1.1. 


For hardware:
Are you sure your hub is truly passive? (ie: "automatic dual speed hubs" contain a switch). try getting windump and seeing if your nic really is seeing the packets. It uses the same winpcap interface that snort for windows will use. 

Windump's homepage (referred from http://www.tcpdump.org/wpcap.html) is:

http://windump.polito.it/


At 06:22 PM 9/6/2002 -0700, rick bohaty wrote:

I have snort 1.8.7win32.exe installed on W2K pro. When
I start the scan only traffic from the snort pc shows
up. Traffic from all other pcs on the segment (hub)
doesn't. Do I need to enter the subnet somewhere in
the snort.conf or command line?




-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: