Re: Snort not seeing traffic

[Pratik Narang <pratik.cse.bits () gmail com>]

On Tue, Aug 28, 2012 at 8:25 PM, Jeremy Hoel <jthoel () gmail com> wrote:
> Ok.. and the machines connect to the internet how?  Through a router?

The machines connect through a switch which in turns connects to the
border router.

> All 4 devices are plugged into the same switch and you are
> spanning/monitoring the right port on the switch?

"right port"?? not clear to me...

Can you see the
> traffic with TCPDump?
As I said, I did a run with Wireshark too (in promiscuous mode) but
did not see the traffic.

If I am not wrong, the simple mistake is that I am connected via a
switch, and so, all the network traffic is not visible at my
interface.

> On Tue, Aug 28, 2012 at 4:01 AM, Pratik Narang
> <pratik.cse.bits () gmail com> wrote:
> > It is in Bridged mode.
> >
> > On Mon, Aug 27, 2012 at 7:26 PM, Jeremy Hoel <jthoel () gmail com> wrote:
> > > How is the interfact between the VM gues and host setup?  Private LAN?
> > >  NAT?  Bridged?
> > >
> > > On Mon, Aug 27, 2012 at 6:01 AM, Pratik Narang
> > > <pratik.cse.bits () gmail com> wrote:
> > > > I have three machines on my test bed- A, B and C. Snort runs on A.
> > > > B and C both have a VM running as well.
> > > > I am unable to understand why Snort is not seeing the traffic that is
> > > > flowing between machine B/VM on B/machine C/VM on C and the internet.
> > > >
> > > >  Snort.conf clearly says-
> > > > # Setup the network addresses you are protecting
> > > > ipvar HOME_NET [172.16.x0.0/24]
> > > >
> > > > # Set up the external network addresses. Leave as "any" in most situations
> > > > ipvar EXTERNAL_NET any
> > > >
> > > > I tried doing packet captures in promiscuous mode on A. Even Wireshark
> > > > doesn't see that traffic from those machines to the internet. So it
> > > > doesn't seem to be any problem with Snort but with my settings.
> > > >
> > > > What am I doing wrong?
> > > >
> > > > ------------------------------------------------------------------------------
> > > > Live Security Virtual Conference
> > > > Exclusive live event will cover all the ways today's security and
> > > > threat landscape has changed and how IT managers can respond. Discussions
> > > > will include endpoint security, mobile security and the latest in malware
> > > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!