Snort Unable to detect portscans in LAN

Question

Setup Information

I am doing experiment on portscan detection using snort 2.9.8.I have 10 systems in my lab with id:1,2,3,...,10. i have installed snort in my lab-pc with id:1.Now i am using Pc with id:2 to scan the PC's in lab using nmap.

Doubt

When i scan the machine on which snort is installed(id:1),i get the portscan alerts,however when i scan other systems(ex: system with id:3),snort doesnot generate any alerts.

So,why is snort unable to generate portscan Alerts in this scenario?.

(I was assuming that snort monitors packets in HOME_NETWORK in promiscous mode,Kindly correct me if i am wrong.)

Answer 1

I was assuming that snort monitors packets in HOME_NETWORK in promiscous mode,Kindly correct me if i am wrong.

Snort can only monitor packets which can be seen at the network card, even in promiscuous mode. Usually the switch in a network will only send out packets on the port where the specific device is connected. This means that Snort has to be installed on the monitor port of the switch or similar.

See also http://openmaniak.com/snort_other.php

Answer 2

Difficult to say without knowing the network topology, but I'd guess that you've not got snort set up on a SPAN port or similar.

If your network is switched, then the snort box won't be receiving traffic which isn't either directed to it, or the broadcast. It may be listening in promiscuous mode, but if the packets aren't actually hitting the interface, there's not a lot that snort can do about it.

The solution would be to put snort in some position where it can see the traffic you want to detect. Either inline (between the two hosts), or on a SPAN port mirroring the traffic on the switch.

Answer 3

You should make sure your IDS is connected to the switch in SPAN mode, or port mirroring mode. Then you should set up SPAN for vlan and then all packets will hit your port, ergo your network card, ergo snort.