Snort mailing list archives
Re: plz help
From: Sam Evans <wintrmte () gmail com>
Date: Sat, 16 Oct 2004 16:52:25 -0600
Chandra, It depends on what your machines are connected to. If they are connected to a switch, and your snort box is also connected to a switch, then you will need to put the port that your snort box is plugged into, into a span/mornitor all mode. If you cannot do such a thing, then you are out of luck, I am afraid. Your best bet would be to make the snort box into a router/gatway and add another NIC to it. If you are plugged into a HUB, then your snort box *should* be seeing the traffic, and it could be a case where the signature you are trying to test against is not being matched. Try making something easy, like: alert ip <ip_address_of_pc_a> any -> any any (msg: "Test Rule from PC A";) Replace <ip_address_of_pc_a> with the IP address of machine labeled PC A. Restart snort .. If you don't see any traffic, then you've got other issues at hand (i.e., is snort listening on the right interface?) -Sam On Thu, 14 Oct 2004 13:48:23 +0600, Chandana Bandara <chandana () dialogsl net> wrote:
hi , my snort placed in same network with the other machines. It has only one interface card. PC A --------- PC B ------------- PC C -------- Snort Box -------- PC D --------- ....... so on I made ping request PC B to PC D . It is not a nornal ping , added the packect size 50 000. This can be unknown attack in the network . But like this alerts why can't detect from the snort ? my snort wont show such hits ? where is the problem ? can u all help ....plz ? Thank u chandana
------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- plz help Chandana Bandara (Oct 14)
- RE: plz help Patrick S. Harper (Oct 14)
- Re: plz help Jose Maria Lopez (Oct 14)
- Re: plz help Sam Evans (Oct 16)
- <Possible follow-ups>
- plz help Curlys (Oct 14)
- RE: plz help Harper, Patrick (Oct 14)