Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: (no subject)

From: Erek Adams <erek () snort org>
Date: Thu, 9 Jan 2003 13:17:11 -0500 (EST)
On Thu, 9 Jan 2003, Jim Schwin wrote:


I just started to work with snort 1.9.0. I have it install on Windows 2000.
I am currently just using the base rule set that it comes with. I have not
received any alerts same of yet. I thought the snort.conf that comes with
1.9.0 would be good enough to pick up on many intrusions. I do receive a lot
of these types 5 and type 8 messages. Is this somewhat normal?


[...snip...]

Well...  I'm making a semi-educated guess:  You're on a switch or a
'auto-sensing' hub.  If that's the case you're only going to see the
traffic destined for that box (switch) or for that 'speed' of card
(auto-sensing hub).

If it's a Cisco switch, look into configuring a SPAN port.  If it's
another brand, it might be known as 'port mirroring'.

If it's a auto-sensing hub, you're only going to see traffic for that
speed (10 or 100 mb) of card.  You'd have to move to a true 'dumb hub' to
have it work.

Hope that helps!

-----
Erek Adams

   "When things get wierd, the wierd turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: