Snort mailing list archives

Re: Sensor location

From: Michael Boman <michael.boman () gmail com>
Date: Sat, 20 Nov 2004 15:11:49 +0800

On Tue, 9 Nov 2004 13:28:10 -0600, César Sanabria <cesanpin () gmail com> wrote:

Hi, i'm having troubles detecting traffic, my network is more or less:

              DMZ
               |                                |------- LAN 1  (segment 191.168.1.x)
INTERNET ---- GW --(1)---GW-- |-------- LAN 2 (segment 191.168.2.x)
                  segement X           |                .
                                                |               .
                                                |------- LAN N (segment 191.168.n.x)

I put my sensor on (1) a segment x (192.x.x.x) and i would like to
catch all traffic from every LAN (segment), but i'm not logging all
alerts, i mean, suppously i'm on the fist segment and i ping a server
on the DMZ i can't see the traffic neither in sniffer mode, so the
question is:

Why i'm not logging alerts from other segments that aren't in the same
segment where i put my sensor?.. What can i do to log alerts?


Snort, as well as all other NIDS software, are more dependent on
actuall hardware setup of the network then the logical design. You
have not told us how you get your snort to collect data
(hub/switch/tap/inline) and how the segments you want to monitor is
connected to the network.

If you are using switches in your network you must make sure that they
support SPAN port or mirror ports (each vendor seems to invent their
own word for it). If you are using hubs, make sure that they are true
hubs and not switching hubs (if it says "10/100 Mbit hub" on the box
it's almost for certain a switching hub).

Please let us know the physical setup of your network and we can help
you troubleshoot your problem.

Best regards
 Michael Boman


-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Sensor location César Sanabria (Nov 19)
- Re: Sensor location Michael Boman (Nov 19)