Snort mailing list archives

Re: plz help

From: Sam Evans <wintrmte () gmail com>
Date: Sat, 16 Oct 2004 16:52:25 -0600

Chandra,

It depends on what your machines are connected to.  If they are
connected to a switch, and your snort box is also connected to a
switch, then you will need to put the port that your snort box is
plugged into, into a span/mornitor all mode.

If you cannot do such a thing, then you are out of luck, I am afraid. 
Your best bet would be to make the snort box into a router/gatway and
add another NIC to it.


If you are plugged into a HUB, then your snort box *should* be seeing
the traffic, and it could be a case where the signature you are trying
to test against is not being matched.  Try making something easy,
like:

alert ip <ip_address_of_pc_a> any -> any any (msg: "Test Rule from PC A";)

Replace <ip_address_of_pc_a> with the IP address of machine labeled PC A.

Restart snort ..  If you don't see any traffic, then you've got other
issues at hand (i.e., is snort listening on the right interface?)


-Sam

On Thu, 14 Oct 2004 13:48:23 +0600, Chandana Bandara
<chandana () dialogsl net> wrote:

 
hi , 
  
my snort placed in same network with the other machines. It has only one
interface card. 
  
  
PC A --------- PC B ------------- PC C -------- Snort Box -------- PC D
--------- ....... so on 
  
I made ping request PC B to PC D . It is not a nornal ping , added the
packect size 50 000. This can be unknown attack in the network . 
But like this alerts why can't detect from the snort ? my snort wont show
such hits ? where is the problem ? can u all help ....plz ? 
  
Thank u 
chandana



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

plz help Chandana Bandara (Oct 14)
- RE: plz help Patrick S. Harper (Oct 14)
- Re: plz help Jose Maria Lopez (Oct 14)
- Re: plz help Sam Evans (Oct 16)
- <Possible follow-ups>
- plz help Curlys (Oct 14)
- RE: plz help Harper, Patrick (Oct 14)