Snort mailing list archives
Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic
From: "Larry E. Smith Jr." <lsmithjr () monster-solutions net>
Date: Thu, 9 Aug 2001 13:31:09 -0400
yeah I know. But the instructions for a read only cable that Murphy was talking about was a cross over cable. anyone know how to properly make a read only cat5 cable? ----- Original Message ----- From: "Jeff Ito" <jeff () delnoch net> To: "Larry E. Smith Jr." <lsmithjr () monster-solutions net> Cc: "Dragos Ruiu" <dr () kyx net>; "Murphy" <murphy () infomaniak ch>; <snort-users () lists sourceforge net> Sent: Thursday, August 09, 2001 12:23 PM Subject: Re: [Snort-users] Re: FAQ 10/100 Hubs Block Other Speed Traffic
machine->hub is a straight through, not a cross-over jeffThis is just a cross over cable right? I made one and plugged one end
into
my snort box and the other into the hub and no go! ----- Original Message ----- From: "Dragos Ruiu" <dr () kyx net> To: "Murphy" <murphy () infomaniak ch> Cc: <snort-users () lists sourceforge net> Sent: Thursday, August 09, 2001 5:16 AM Subject: Re: [Snort-users] Re: FAQ 10/100 Hubs Block Other Speed TrafficThere's other good stuff in the FAQ too. Good detailed info in the second url. --dr 3.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: How do I setup snort on a 'stealth' interface? A: Bring up the interface without an IP address on it. See FAQ 3.2... http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/ A: Use an ethernet tap, or build your own 'receive-only' ethernet
cable.
http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm A: Anyway, here is the cable I use: LAN Sniffer 1 -----\ /-- 1 2 ---\ | \-- 2 3 ---+-*------- 3 4 - | - 4 5 - | - 5 6 ---*-------- 6 7 - - 7 8 - - 8 Basically, 1 and 2 on the sniffer side are connected, 3 and 6 straight through to the LAN. 1 and 2 on the LAN side connect to 3
and
6 respectively. This fakes a link on both ends but only allows traffic from the LAN to the sniffer. It also causes the 'incoming' traffic to be sent back to the LAN, so this cable only works well
on
a hub. You can use it on a switch but you will get ...err... interesting results. Since the switch receives the packets back in
on
the port it sent them out, the MAC table gets confused and after a short while devices start to drop off the switch. Works like a
charm
on a hub though. On Wed, 08 Aug 2001, you wrote:Excellent point, which raises a slightly off topic question. Could we imagine making a special "tapping" CAT5 cable, that would,
on
oneend of the cable have an extra twisted pair comming out (connected
on
the Rxon the normal wires) that would be used for tapping, by feeding
those to
thesnort Box ? I realise, that if it worked, it would limit either incoming or
outgoing
traffic to be monitored, but still it's a very, very cheap solution
when
youcan go for a switch that has port mirroring. Murphy. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of stefmit () starband net Sent: Thursday, August 09, 2001 00:40 To: snort-users () lists sourceforge net Subject: [Snort-users] Re: FAQ 10/100 Hubs Block Other Speed Traffic Great descriptions - just to throw in a "minor" thing: if you deal
with
full duplex on a switched port, only a tap would save you - have succesfully used Shomiti's ones on 100MB FD ports, and used two Snort instances, capturing traffic on both directions. Port
mirroring
didn't work in that case ... Stef _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from
the
futuregpg/pgp key on file at wwwkeys.pgp.net or at
http://dursec.com/drkey.asc
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question?, (continued)
- Question? James Friesen (Aug 10)
- Re: Question? Jed Pickel (Aug 10)
- CODE RED III Mark Spieth (Aug 10)
- Re: CODE RED III Mike Baptiste (Aug 10)
- Re: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: [Snort-users] External snort monitoring) Jim Hankins (Aug 08)
- Re: FAQ 10/100 Hubs Block Other Speed Traffic stefmit (Aug 08)
- Re: FAQ 10/100 Hubs Block Other Speed Traffic Murphy (Aug 08)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Dragos Ruiu (Aug 09)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Larry E. Smith Jr. (Aug 09)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Jeff Ito (Aug 09)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Larry E. Smith Jr. (Aug 09)
- Re: FAQ 10/100 Hubs Block Other Speed Traffic Erek Adams (Aug 08)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Larry E. Smith Jr. (Aug 08)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Rich Adamson (Aug 08)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Erek Adams (Aug 08)
- Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic Rich Adamson (Aug 08)