Re: Snort not seeing everything

["fname lname" <larskman () gmail com>]

Ok, im on site now and I found the problem.

The network is configure like below:

INTERNET---pix---TAP---switch1---switch3
                            |          |
                          IDS   switch2

And the proble was someone had the tap on the a server and not the inside
pix.

lol

Problem solved and I am seeing all traffic now.

Thanks!

On 6/14/06, fname lname <larskman () gmail com> wrote:
> The tap is tapping into the wire that is leaving the inside port of the
> pix.  For the pix it goes to the tap and out of the tap it goes to the
> switch.
>
> The switch are not smart switches so that is why i am using a tap.
>
> On 6/14/06, Stephen John Smoogen <smooge () gmail com> wrote:
>
> > On 6/14/06, Eric Hines <eric.hines () appliedwatch com> wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > This doesn't look right. Why would you install a Tap, then hang the
> > > Snort sensor off the switch? The purpose of the tap is to tap in to
> > the
> > > network and replace span ports on your switch. The Snort sensor is
> > > supposed to be hanging off the monitoring port of the Tap.
> > >
> >
> > I do not see where he is putting the snort sensor on the switch. The
> > IDS seems to stay in the same spot.. the last jump out/first jump in.
> >
> > --
> > Stephen J Smoogen.
> > CSIRT/Linux System Administrator
> >
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users