Snort mailing list archives
RE: strange promiscous mode behavior
From: "Chris Grout" <cgrout () s4r com>
Date: Thu, 31 Jan 2002 23:47:07 -0800
Check what speed all external interfaces have negotiated too. Keep in mind that many 10/100 hubs actually will switch traffic between the 10 mbit devices and the ones at 100. I'm not a netgear guru, but I know this is the case with the "smarter" 10/100 hubs. Obviously to rememdy this, just hard code everything to one speed. -Chris -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Ben Keepper Sent: Thursday, January 31, 2002 10:04 PM To: snort-users () lists sourceforge net Subject: [Snort-users] strange promiscous mode behavior I am having a fit trying to figure this one out. 2 Demarc/Snort sensors. One has three NICs with one NIC to a hub between the router and firewall, one to a hub in the DMZ, and one to the inside network as a management interface. All this data goes to a dual-homed box that has one interface snorting on the inside network, and the other interface being the main SID/MYSQL/DEMARC NIC for the whole network. The box that is monitoring the DMZ and outside network is using the same dual Intel NIC to watch these segments. The DMZ interface is working perfectly, but the interface on the outside network refuses to see packets. A tcpdump reveals the arps, but no real data. Even giving the NIC an IP address within the external IP address range of the firewall and then in promisc mode reveals no data unless the packets are directed at that specific IP. The hub (Netgear DS-16) in the DMZ and the external net are identical, so I don't think its the hub, and, like I said this is a dual port card, with one port perfectly content, and the other not seeing anything. What gives? Shouldn't I be able to see any data between the router and firewall with a tcpdump? TIA, Ben Ben Keepper Security Engineer "I like to play with things awhile... before annilation" -Emperor Ming the Merciless _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- strange promiscous mode behavior Ben Keepper (Jan 31)
- Re: strange promiscous mode behavior Erek Adams (Jan 31)
- RE: strange promiscous mode behavior Chris Grout (Jan 31)
- Re: strange promiscous mode behavior Jason Haar (Feb 03)