1

I'm currently trying to set up Snort on my local machine. At the moment I have 3 VM's: 1 with snort on it and 2 used to ping eachother. Whenever I ping from one of the devices to the Snort-machine, Snort notices it and sends an alert. However, when I ping between the 2 'not Snort' machines, snort doesn't notice anything.

I've always been told that Snort would act like Wireshark and notice all the network's traffic. Am I wrong in this?

If it helps, this is the guide I used: https://upcloud.com/community/tutorials/install-snort-ubuntu/

Thanks in advance!

Sander Willems
  • 13
  • 3
  • 1
    Usually Snort and its alternatives are either used to transparently "pass through" (1NIC in -> 1NIC out) all traffic in front of a gateway or router or some such, or by port-mirroring some traffic and investigating that. In your setup you either have to set promiscuous mode so the Snort machine can even _see_ the packets, or you have to mirror all traffic to it. In short: you have to make sure your Snort box has access to the traffic it should sniff. – Lenniey Jan 03 '19 at 08:22
  • The problem is that my interface is set in promiscuous mode. When I execute netstat -i it says 'BMPRU'. – Sander Willems Jan 03 '19 at 08:27
  • The interface of your Snort box inside the OS, yes, but VM-wise? What hypervisor are you using? – Lenniey Jan 03 '19 at 08:33
  • Oh that's indeed a solid lead! I'm using Virtualbox at the moment. – Sander Willems Jan 03 '19 at 08:41
  • Yes, you have to set the promiscuous mode in the advanced network adapter settings in your VM options. Should be fine, then. – Lenniey Jan 03 '19 at 08:42
  • Glad you got it working :) – Lenniey Jan 03 '19 at 08:51

1 Answers1

1

In the case of VirtualBox you have to set promiscuous mode in the Snort VM's advanced interface options to be able to see the traffic between other VMs / different networks.

Lenniey
  • 5,090
  • 2
  • 17
  • 28