RE: [Snort-users] Will only detect server IP

I ran etherreal and it show all of my network IPs

Don Hammer



-----Original Message-----
From: Matt Kettler [mailto:mkettler@evi-inc.com]
Sent: Friday, August 27, 2004 8:21 AM
To: hammerd@evanite.com; snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Will only detect server IP


At 05:18 PM 8/26/2004, Don Hammer wrote:
>I am running snort on RedHat 9.0. It is collecting and reporting alerts,
but
>only alerts to of from the IP address of the server snort in running on. I
>have another system that is on the same hub and snort will not detect any
>alerts from that system. Any ideas?

Are your sure your hub is really a true hub?

If it's 10/100 dual speed, it may be more like a switch than a hub. Some of
these act like half-duplex switches, some act like a 10mbit hub and a
100mbit hub connected by a 2-port switch (aka bridge). All must have some
form of switch-like behavior, as it's impossible to act like a pure passive
hub and suppor both speeds. (Any 10/100 dual speed hub trying to be purely
passive with no switching would be bandwidth limited to 10mbit.)

Try firing up tcpdump or etherreal to see if the traffic of interest ever
gets to your snort box.





-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users