<quote who="justin cunningham"> > Hi, I haven't used snort before and wanted to see where the > incoming traffic to my external ip is coming from. Can I do this > with a machine behind the router? I mean, the deb machine is > sitting on a 192x and I want to see the incoming traffic on the > external ip. Is this possible or do I have to have the box before > the router or should I just stick with tcpdump? Thanks for any > suggestions, justin
if you just want to view where traffic is comming from then stick to tcpdump. or if you want an easier to read realtime view try iptraf. snort is only designed to show specific events, it won't show everything. as for where to put the machine, if you want to catch EVERYTHING it should be inbetween your router and the rest of your network(i personaly use freebsd 4.4 with bridged interfaces to accomplish this). otherwise just run the program on each of your individual machines. nate