I have configured a Cisco 3500 switch with a port SPAN and have my snort node (fedora 13) plugged into it. I am running snort as a daemon and have configured a rule to log all tcp traffic but I am only seeing traffic with a destination of the snort node. I know that the SPAN port is working and wanted to know if there is a specific option that I needed to start snort with in order for it to pickup all the traffic? Or is there something that I have missed here?
Many thanks.
Depending on the configurations that shipped with your package, you may have some settings wrong. The base snort.conf file should work, however you should inspect the system config file /etc/sysconfig/snort and make sure these two options are set sanely.
Also you should look at the system log, /var/log/messages by default, to see if the interface is actually entering promiscuous mode. If so, you should see something along these lines
kernel: device eth1 entered promiscuous mode
You can also get good debugging information from the perfmonitor preprocessor. You can enable it in your snort.conf with something like
preprocessor perfmonitor: time 300 file /var/log/snort/snort.stats pktcnt 10000
This will dump a VERY large comma delineated list of performance values from the snort application. The full list of all the values dumped can be found in the manual, either shipped or at snort_manual.pdf You might be interested to look at:
The values from those, and possibly others, should help determine whether the application itself is even seeing the packets, let alone processing them.
