Snort mailing list archives
RE: Help me friends
From: "Semerjian, Ohanes" <Semerjian.Ohanes () wcom com au>
Date: Tue, 10 Dec 2002 08:02:13 +0800
I'll answer the second part of ur question regarding using snort sensor to monitor the traffic on ur LAN. To do so successfully u need to mirror the port u connect the snort sensor to it so all packets going in and out of other ports on that switch get mirrord to the port that ur snort machine is connected to. Read about port mirroring. This is not something specific to snort but it is a networking concept and its valid for most of vendors like Cisco, Nortel etc networking devices. Best Regards Ohanes Semerjian Security Administrator, AsiaPac International Security Group (Central Services) WorldCom International Ph:(02) 9434 5636 Mob: 0410 657 249 PGP kEY 75DF 2980 5663 2DC1 12CD E43E 94D6 7A9A 222D 3449 -----Original Message----- From: skaushik () snsin com [mailto:skaushik () snsin com] Sent: Saturday, 7 December 2002 6:15 PM To: Snort-users () lists sourceforge net Subject: [Snort-users] Help me friends Dear Friends, I have been trying to use the snort 1.9.0 by creating my own rules. though i succeeded in implementing that with few simple rules but iam not able to use it with all its features. For example: I wanted to implement the flexresp feature, so i downloaded the libnet 1.0 and reconfigured the snort with the flexresp support but when I implemented the rule it says the keyword in the rules file is invalid. The same error i faced when using the portscan feature in my rule. Also another important thing I wanted to know is that: I installed the snort in a machine in the local LAN but not as a gateway but directly connected to a switch, from which all the machines are connected. And in this scenario I wanted my snort machine to scan all the network traffic in the local LAN. The catch here is I was able to scan all the telnet sessions to the snort machine or from the snort machine but unable to scan those telnet sessions not involving the snort machine. Also I was not able to scan the internet requests originating from the other machine apart from the snort machine. The scan shows only the from (internal source IP) -> to(the gateway IP), but not the websites' IP address and I have checked that my rule was right. But that does not happen while scanning the snort machine, it is giving the detailed internal and external(websites) ip address. Is the problem anything to do with the location of the snort machine? Please help me in this regard. Warm regards, S.Kaushik ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Help me friends skaushik (Dec 09)
- Re: Help me friends Adrian Peters (Dec 09)
- <Possible follow-ups>
- RE: Help me friends Semerjian, Ohanes (Dec 09)
- RE: Help me friends Rich Stryker (Dec 18)