Re: Snort and acidcenter

[Rich Adamson <radamson () routers com>]

The switch vs hub issue essential is: switches forward traffic to
only one physical port, and that port is the one that it learned
the MAC address of whatever is attached. If the box on port 1 is
communicating with the box on port 3 in a switched environment, then
devices attached to ports 2 & 4 don't "see" that traffic. So, in this
example, if snort is attached to port 2, it won't see the traffic
between 1 & 3, and therefore it won't alert (except on broadcast-
type traffic).

The Netgear DS104 is kind of an odd duck in that it changes to a
"switch-like" box when the port speeds are different. I forget exactly
which way now, but seems to me that if snort is running on a 100 meg 
port and all other ports are running at 10 meg, snort won't see the
traffic (or is it the other way around; don't remember).

There are lots of other so called hubs that essentially do the same
thing. I've got two 3Com Dual Speed 500 hubs, one essentially acts
like a switch between groups of ports (eg, if ports 1-8 communicate
with ports 9-16 and the port speeds differ, then it functions as a
switch), and the second switch always plays like a hub.

> This is very interesting.  I use a netgear switch for my wan and lan.   When 
> someone surfs a porn site in my house, I see it come up on ACID.  I do not 
> get the url, I just get the IP address.  Snort is set on eth0 which is the 
> DMZ port on my router.  I see all traffic that comes through my switch and 
> router.  Maybe I am not understanding the difference and why snort would care 
> or not see activity on a switched network if it was set that way.
>
> On Wednesday 01 January 2003 01:38 pm, Rich Adamson wrote:
> > > i have a netgear dualspead 10/100 hub...
> > > are you telling me this wont work ?
> >
> > I use the Netgear DS104 dual speed hub when professionally
> > evaluating networks. It works fine for sniffing, snort, etc,
> > "except" when equipment attached to the hub are operating at
> > different speeds. If you statically define the interface
> > speed (for each attached device) at the exact same speed for
> > all devices, the hub will work fine.
> >
> > However, if one interface is operating at 100 megabits (as
> > an example) and others are at 10 megabit, there is a very high
> > probability the hub will start functioning as a switch and you
> > won't see packets passing between interfaces as expected.
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users

---------------End of Original Message-----------------



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users