Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Linux » Snort behavior on a monitor port

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort behavior on a monitor port


Posted by techiem2 on August 16, 2006 11:51:32

We rebuilt our hotspot box so it's working properly, but we're still having an issue with snort (we think).
Here's the setup:
eth0 is the external interface (to the campus network)
eth1 is the chillispot interface (this connects to the wireless network and has no IP)
tun0 is the chillispot tunnel that uses eth1 and actually has an IP
eth2 is connected to a monitor port on the switch (the switch feeds all traffic from the wireless to eth2 for snort to monitor) and is monitored by snort - this interface has no IP.
Shorewall firewall - currently with no rules set for eth2.
Snort 2.4.5

The problem is, snort only seems to generate alerts for traffic that actually passes through the firewall, and does not generate alerts for attempted port scans or connections (such as an irc client trying to connect) that are blocked by the firewall.
This is rather confusing considering that it's watching a port that should be recieving all traffic....

Any suggestions as to what we might be doing wrong?
Thanks.

site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.