Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Hogwash problem

From: <bthaler () webstream net>
Date: Mon, 1 Oct 2001 16:01:47 -0400
Sorry for the cross-post, people, but I thought some of you Snort folks might be able to help here.

I am trying to implement hogwash-0.1d into my production network environment, and running into a
brick wall.
I got hogwash installed with no problems whatsoever, and even tested it successfully.  Here's how I
tested it:

TESTING SETUP
BTW, this is the same way my Snort setup currently runs in production mode.
Internet comes into my router (Cisco 7200-VXR)

From router to switch (Cisco 2900XL)

1 port on switch is mirroring all traffic.
Mirrored port to Hogwash machine external interface (eth0)
Hogwash internal interface (eth1) to internal network (in the test setup, the internal net was the
snort box).

This setup worked flawlessly, and was scrubbing the packets going to the snort box.  No problems at
all.  I then switched to the production setup today, and it didn't work.  Here's the production
setup:

PRODUCTION SETUP
Internet comes into my router (Cisco 7200-VXR)

From router to Hogwash external interface (eth0)
From Hogwash internal interface (eth1) to internal net


Hogwash saw all of the traffic, and both NICs were going wild (we have a full 45MB T3).  At one
point, I was even able to resolve IP addresses ( a ping to yahoo.com told me the IP, but the pings
still timed out), but every other type of traffic I tried would not pass.  This was done using
the -n (no rules) switch in hogwash.  But even without this switch, using my normal rules, it still
does not work.  My normal rules only drop the recent worms (Nimda and CodeRed) and a rule for SirCam
as well.  All of this worked perfectly in the test setup, but not in production.

I have a feeling it has something to do with my switch.  Also, the Hogwash machine was booted and
Hogwash was not running.  The NIC cables were then connected to the router and switch (neither the
router nor the switch was rebooted).  When the switch had finished negotiating the port, Hogwash was
started.

Again, sorry for the cross-post, but since the Hogwash list is such low traffic, I figured someone
here would have a clue.


Thanks,
Brad T.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: