Snort mailing list archives

Re: Snort not seeing everything

From: "fname lname" <larskman () gmail com>
Date: Wed, 14 Jun 2006 10:32:06 -0400

Oh, sorry I forgot to state my goal.  My goal is to see all traffic comming
in and out of the network from the internet.  So my tapping the first and
last route to the network off the pix I thought would do the job?

On 6/14/06, Stephen John Smoogen <smooge () gmail com> wrote:

On 6/14/06, fname lname <larskman () gmail com> wrote:
> Our office resently moved to a new location and now my snort not seeing
> everything so it must be something I didnt setup right.
>
> They way I have it setup is right off of the pix inside cable its going
to a
> passive tap that i build from the docs on snorts site from there its
going
> to the networks switch.  From that we have a few servers plugged in and
> another switch where a few more servers are and the lastly another
switch
> where the workstations are plugged into.
>

What are you wanting the IDS to see? At this point your IDS will see
all Internet traffic. If you are wanting to see traffic from boxes on
switch1 to switch 2 etc.. you would need either more TAPs or a
different switch mechanism.

INTERNET---pix---TAP0---switch1----TAP1---switch2
                              |            |
                              |          TAP2
                              |            |
                            IDS     switch3

TAP1 and TAP2 would then see inter switch traffic but not intra switch
traffic. In those cases you would want to take a big hit in
performance and either use a HUB or make your switch into a 'smart'
hub by having one port mirror/duplicate all traffic so it feeds to the
IDS(s).

--
Stephen J Smoogen.
CSIRT/Linux System Administrator

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort not seeing everything fname lname (Jun 14)
- Re: Snort not seeing everything Stephen John Smoogen (Jun 14)
  - Re: Snort not seeing everything fname lname (Jun 14)
- Re: Snort not seeing everything Eric Hines (Jun 14)
  - Re: Snort not seeing everything Stephen John Smoogen (Jun 14)
    - Re: Snort + email alerts Denis Morejon Lopez (Jun 14)
    - Re: Snort + email alerts Daniel Cid (Jun 14)
    - Re: Snort + email alerts Denis Morejon Lopez (Jun 15)
    - Re: Snort not seeing everything fname lname (Jun 16)
    - Re: Snort not seeing everything fname lname (Jun 16)