Re: [Snort-users] Capture Email Content / Website Activity

There are several challenges here. 

I am developing a solution for a client to allow them to determine if their 
network is clean for inappropriate  activity. They are running a Linksys 
router with built in switch. I suspect that this will limit the abilities to 
capture all the data. When I run "snort -dv" I am able to see all http 
activity but not outgoing emails from other machines. I can see the email was 
sent but that was it.

Do I need to get a new switch to accomplish this job?

Thanks

On November 27, 2005 03:39 am, barryab63-ia@yahoo.com wrote:
> In order to see everything on the network, you need to have one of the
> following:
>
>   1.  A true hub.  But, you'll only see traffic that passes through the
> hub. 2.  A switch that will let you configure a monitor port, have the port
> your snort box is connected to configured to monitor all the other ports. 
> How you do this depends on the switch. 3.  Use a network tap.  Place the
> tap were it will pickup the traffic you want to see, possibly between your
> firewall and inside router/switch, that way you would see everything in and
> out of your network. 4.  Run snort in in-line mode, place the snort box in
> a location similar to the network tap.
>
>   You would really need to give more information on your network to get a
> more detailed answer.
>
>   As to detecting web activity, snort does have some rules for detect web
> traffic.  But, it sound from you question that it might be better to try to
> get this info from you Firewall logs.  Snort isn't really a very good web
> usage monitoring tool.
>
>   Barry
>
>
>
> stuff@trackingsolutions.ca wrote:
>   I am new to snort and am starting to test things out. I am able to
> capture email content from the machine running snort, but I would also like
> to capture email being sent on the entire network. Is there a way to do
> this?
>
> Also is there a way to capture visited websites for the entire network to a
> file stating date, time, url, ipaddress?
>
> Thank you very much.
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users