Re: Snort not seeing everything

[Eric Hines <eric.hines () appliedwatch com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This doesn't look right. Why would you install a Tap, then hang the
Snort sensor off the switch? The purpose of the tap is to tap in to the
network and replace span ports on your switch. The Snort sensor is
supposed to be hanging off the monitoring port of the Tap.





Best Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC


- ---------------------------------------------

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 213
Crystal Lake, IL 60014
Toll Free: (877) 262-7593 ext:327
Direct: (847) 854-2725 ext:327
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
Email: eric.hines () appliedwatch com

- --------------------------------------------

"Enterprise Open Source Security Management"


fname lname wrote:
> Our office resently moved to a new location and now my snort not seeing
> everything so it must be something I didnt setup right.
>
> They way I have it setup is right off of the pix inside cable its going
> to a
> passive tap that i build from the docs on snorts site from there its going
> to the networks switch.  From that we have a few servers plugged in and
> another switch where a few more servers are and the lastly another switch
> where the workstations are plugged into.
>
> INTERNET---pix---TAP---switch1
>                             |            |
>                           IDS     switch2
>                                          |
>                                     switch3
>
> The above drawing is how the network is setup based on funds;  Based on the
> drawing if a workstation on switch3 goes to www.google.com should I see
> that
> traffic because I have a TAP in the inside wire of the pix which is the
> last
> route to the internet?
>
> Hmm, im thinking should I change the above network to look like this?
>
>
> INTERNET---pix---TAP---switch1---switch3
>                             |          |
>                           IDS   switch2
>
> Thank you for help in advance.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEkCXrbOqF2QHgUK0RAvE3AJ45MDsZvgh9R8/BdbOH0iFbUJ5ydgCZAcLm
fFdeMbhnEfsv7BdDxGsZZAc=
=pLQE
-----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users