Snort mailing list archives

Re: Newbie Q on making it work

From: Faber Fedor <faber () linuxnj com>
Date: Wed, 27 Nov 2002 10:04:38 -0500


On Wed, Nov 27, 2002 at 06:45:24AM -0700, Slighter, Tim wrote:

Better yet, disable the IP'd interface on your snort system and then run
TCPDUMP on the stealth interface and see if it is picking up any type of
traffic.


Good idea!

So I did that, now I'm totally confused.  I'm not seeing any web
traffic.  I am seeing DNS traffic (which goes out of my network onto the
internet).

So I changed my topology thusly:

Internet -> cablemodem -> Linksys BEFSR41 ---> snort1
                                          |--> surfer
                                          |--> Linksys
                                               EFAHO5W --> other
                                                           computers

Where the "surfer" is a Windows XP machine running a 100 Mbit card.
and does the web surfing.

I *still* don't see any data.  How can that be?  The traffic *has to* go
through the BEFSR41 box, which means every device connected to it will
see the traffic.  Right?

Alright, let's do this...

cablemodem -> BEFSR41 --> surfer
                      |-> EFAHO5W --> snort1
                                  |-> surfer2

Okay, *now* I see data from surfer2.  At least I have something to work
with.

Since EFAH05W is actually a switch (which I did not know, thanks for
pointing that out), I can understand why surfer wouldn't see data going
from snort1 to surfer2.  What I don't understand is how data can go from
surfer2 to the internet withough it being passed to all of the devices
attached to the BEFSR41.  I guess it's time I broke down and studied for
that CCNA test, eh?

Sorry to have bothered you guys with a non-snort problem.  The next time
I post, I promise it'll be with a problem about snort. :-)
                                 

-- 
 
Regards,
 
Faber                     

Linux New Jersey: Open Source Solutions for New Jersey
http://www.linuxnj.com





-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Newbie Q on making it work Faber Fedor (Nov 26)
- Re: Newbie Q on making it work Matt Kettler (Nov 26)
  - Re: Newbie Q on making it work twig les (Nov 26)
- <Possible follow-ups>
- RE: Newbie Q on making it work Slighter, Tim (Nov 27)
  - Re: Newbie Q on making it work Faber Fedor (Nov 27)
- RE: Newbie Q on making it work Tom Sevy (Nov 27)