Re: snort-users () lists sourceforge net

[Matt Kettler <mkettler () evi-inc com>]

At 06:18 PM 12/9/2003, sama () inf ufsc br wrote:
> I've installed Snort 2.0.5 perfectly on a Debian box. This machine is on a
> LAN that has a Firewall/Nat box. My question is: How could I set up the snort
> box to sensor the LAN behind the firewall/nat ? I put HOME_NET var to the
> address of the internal network but, when I tried to scan anothe machine on
> this network, the snort didn't get the scan.

Your LAN is likely switched. In this case, you need to do something to make 
your snort system see all traffic traversing the switch. By definition, 
switches only send ethernet packets to hosts that need them, not every host 
in the entire LAN.

On higher-end (managed) switches this can be done by configuring them with 
a mirror port. The mirror port gets copies of every packet traversing the 
switch (it does however miss some on a very busy switch.. just by the 
nature of trying to monitor more traffic than can pass through the mirror 
port).

Lower end switches (unmanaged ones) don't support anything of this sort. 
Your only option here is to try to basically break the switch into being a 
hub using macof to flood its MAC tables.. However, this has serious 
performance impact, and I wouldn't recomend it in a production environment.







-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users