Re: Port mirroring settings for SNORT

[Kevin Ross <kevross33 () googlemail com>]

If you want it to capture other traffic from other machines you have a few
options:

1) You create a SPAN/Mirror port on your network switch to send traffic
from a choke point on your network (i.e Internet link on inside interface
of firewall) to the interface that your sensor is plugged into and then
just sniff the interface (you should have 2 interfaces on your sensor at
least. 1 for management with an IP address and the other for sniffing). You
will a managed switch to do this (i.e a switch you can configure such as
Cisco ones). Note depending on traffic levels if monitoring a lot of
traffic you may have to consider things like interface tuning, using
pfring, dedicated network cards etc with more being required the higher the
levels of traffic you are looking at and the more intensive application
inspection you are applying to it. I would also recommend using a minimal
*nix OS.

2) You have Snort running inline to the traffic. This means you could also
operate in IPS mode too depending on your configuration. You could also
utilise something like PFSense - www.pfsense.org - firewall if in a home
network (highly recommended) and then use the snort package in that to
monitor your network and protect your internet link. If this is a SOHO type
thing this may be more ideal for you if you are unsure and just want to see
about getting detection although not so much if your aim is to learn a lot
about Snort (which is a valuable thing to do).


Hope that helps.
Kevin Ross


On 28 March 2014 18:31, basant subba <basantsubba () gmail com> wrote:

> How do I set my SNORT configuration in promiscuous mode so that it
> captures packets from other machine in the network as well. Presently it is
> only monitoring the packets of my machine but I want it to capture packets
> from other devices in the network as well.
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!