Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: [Snort-users] External snort monitoring)

From: "James Friesen" <lucretia () telusplanet net>
Date: Thu, 9 Aug 2001 16:37:58 -0600
What affect does running two snorts have on the logs?   Do you have separate
logs?  Can you dump to the same SQL database at the same time?  (etc.
related questions).

TIA!


:> -----Original Message-----
:> From: snort-users-admin () lists sourceforge net
:> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jason
:> Sent: Wednesday, August 08, 2001 4:05 PM
:> To: Franki
:> Cc: snort-users () lists sourceforge net
:> Subject: [Snort-users] RE: FAQ 10/100 Hubs Block Other Speed Traffic
:> (was: RE: [Snort-users] External snort monitoring)
:>
:>
:> The easiest way around this without having to run 2 instances of snort
:> (you will need to do that to bind snort to 2 interfaces since snort does
:> not presently have the ability to run once on multiple
:> interfaces), is to
:> place the snort box between whatever machine (router firewall
:> etc) and the
:> switch/dual speed hub.  Bridge the interfaces (no IP is required that
:> way), and run snort on the external interface (not the one connected to
:> the switch/hub).. well you could put it on either,  but I like using the
:> external.  That way snort will see all incoming and outgoing traffic.
:> However, using this method will prevent you from logging to anything but
:> the snort box itself, and will also not be addressable remotely.
:>
:> The other method is to assign an IP to each nic, if you want the machine
:> addressable, however you do it, bridged or assigning IP's, as
:> long as the
:> snort box is before the switch/hub it will see all traffic.
:>
:> Jason
:>
:> On Thu, 9 Aug 2001, Franki wrote:
:>
:> > if you have a dual speed hub, and machines running both
:> speeds (netcards
:> > with 10 and 100),
:> >
:> > would it get around that if you had to nic in the snort machine on the
:> > network? one for 10 and one for 100?
:> >
:> > I just heard this and I am wondering if its something I need
:> to worry about
:> > before rollin out snort...
:> >
:> > rgds
:> >
:> > Frank
:> >
:> > -----Original Message-----
:> > From: snort-users-admin () lists sourceforge net
:> > [mailto:snort-users-admin () lists sourceforge net]On Behalf Of
:> Dragos Ruiu
:> > Sent: Thursday, 9 August 2001 3:16 AM
:> > To: swilcoxon () iqmarketing com; lsmithjr () monster-solutions net;
:> > fhmiv () mac com
:> > Cc: snort-users () lists sourceforge net; snort-users () sourceforge net
:> > Subject: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE:
:> > [Snort-users] External snort monitoring)
:> >
:> >
:> > This _has_ to be put into the FAQ.
:> >
:> > Does anyone care to try penning/editing the conclusive,
:> > concise, and tutorial answer also explaining the
:> > operation of the hub that causes Snort/IDS problems...?
:> >
:> > cheers,
:> > --dr
:> >
:> > On Wed, 08 Aug 2001, swilcoxon () iqmarketing com wrote:
:> > > Dual speed hubs act like a switch between the two different
:> speeds. If
:> > your
:> > > two machines are at different speeds you won't see the
:> other traffic.
:> > >
:> > > S.W.
:> > >
:> > > > -----Original Message-----
:> > > > From: Larry E. Smith Jr. [mailto:lsmithjr () monster-solutions net]
:> > > > Sent: Wednesday, August 08, 2001 12:01 PM
:> > > > To: Frank McPherson
:> > > > Cc: Snort List (E-mail); Snort Users
:> > > > Subject: Re: [Snort-users] External snort monitoring
:> > > >
:> > > >
:> > > > It shows in the system log as going into promiscuous mode.
:> > > > and I called
:> > > > Linksys to verify that this is a hub and not a switch. and i
:> > > > do not need to
:> > > > set an IP for the sensor correct?
:> > > >
:> > > > ----- Original Message -----
:> > > > From: "Frank McPherson" <fhmiv () mac com>
:> > > > To: "Larry E. Smith Jr." <lsmithjr () monster-solutions net>
:> > > > Cc: "Snort List (E-mail)"
:> > > > <snort-users () lists sourceforge net>; "Snort Users"
:> > > > <snort-users () sourceforge net>
:> > > > Sent: Wednesday, August 08, 2001 12:11 PM
:> > > > Subject: Re: [Snort-users] External snort monitoring
:> > > >
:> > > >
:> > > >
:> > > > Two ideas:
:> > > >
:> > > > The ethernet interface on your external snort sensor is not in
:> > > > promiscuous mode;
:> > > >
:> > > > or
:> > > >
:> > > > your "hub" is really a switch.
:> > > >
:> > > > On Wednesday, August 8, 2001, at 11:12  AM, Larry E.
:> Smith Jr. wrote:
:> > > >
:> > > > > I have my cable modem hooked into a Linksys 5 port hub and
:> > > > I also have
:> > > > > a snort sensor configured on the hub to catch all traffic
:> > > > coming to my
:> > > > > network. from the 5 port hub it connects into a Linksys
:> > > > router which is
:> > > > > where my server is located. my question is why can i catch
:> > > > traffic on
:> > > > > my internal snort sensor connected to the Linksys router,
:> > > > but all I can
:> > > > > see are ARP requests on the external snort sensor which is
:> > > > connected to
:> > > > > the hub? anyone have any ideas?
:> > > > >
:> > > >
:> > > > _______________________________________________
:> > > > Snort-users mailing list
:> > > > Snort-users () lists sourceforge net
:> > > > Go to this URL to change user options or unsubscribe:
:> > > > http://lists.sourceforge.net/lists/listinfo/snort-users
:> > > > Snort-users list archive:
:> > > > http://www.geocrawler.com/redir-sf.php3?list=ort-users
:> > > >
:> > > >
:> > > > _______________________________________________
:> > > > Snort-users mailing list
:> > > > Snort-users () lists sourceforge net
:> > > > Go to this URL to change user options or unsubscribe:
:> > > > http://lists.sourceforge.net/lists/listinfo/snort-users
:> > > > Snort-users list archive:
:> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
:> > > >
:> > >
:> > > _______________________________________________
:> > > Snort-users mailing list
:> > > Snort-users () lists sourceforge net
:> > > Go to this URL to change user options or unsubscribe:
:> > > http://lists.sourceforge.net/lists/listinfo/snort-users
:> > > Snort-users list archive:
:> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
:> > --
:> > Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net -
:> we're from the
:> > future
:> > gpg/pgp key on file at wwwkeys.pgp.net or at

http://dursec.com/drkey.asc


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: