Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: monitoring only occuring on snort host

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 03 Feb 2004 10:50:10 -0500
At 06:22 PM 2/2/2004, Ted Iglehart wrote:
I appear to have everything configured correctly with my home network set to x.x.x.x/24
However, I only appear to be catching events that are actually hitting the snort box and not the subnet as a whole? 

What kind of network device is the snort box plugged into?

Most modern 10/100 ethernets are using switches, or "auto-switching hubs".
Snort cannot sniff a packet which does not appear on the wire connected to it. Switches inherently limit which ports they forward packets to in order to reduce network congestion.
If you want to sniff all traffic, you have three main options for hookup hardware:
1) get a truly passive hub. However, most of these are straight 10mbit and can present a bottleneck. However, if you're sniffing an ethernet feeding a cablemodem, t1, or some low-bandwidth point in your network, this isn't a big deal.
2) get a good managed network switch which has mirror port capabilities (also called span port by some mfg's). These can be a bit expensive.
3) use a network tap. Most of these are a fully passive and thus bit tricky to configure, but are one of the least "line disruptive" measures. The big advantage is you don't have an extra switch that can fail and take out your connection. Can be home-made, or bought. Depending on speed and features these can be inexpensive to a bit expensive. 




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: