Snort mailing list archives
Re: stealth mode and openbsd 3.3
From: MH <procana () insight rr com>
Date: Sat, 24 May 2003 06:38:24 -0400
Hi Bert,You mentioned that both interfaces are plugged into the same *hub*. However, both interfaces are listed as operating full-duplex. Is this a hub or a switch? A hub does not support full-duplex connections (shared bandwidth etc. etc. etc. :) ). If this is a switch (not a hub), sis0 would not be able to 'see' the data unless you mirror to its port.
If you have not already done this, try running tcpdump -nXi sis0 or snort -vdei sis0 when you run the tests.
Is sis0 able to 'see' the data?My guess is that this is a switch and you are running the test attacks through rl0. If this is true, that explains why snort will generate the alerts when listening on rl0 and not sis0. If this is correct, mirroring to sis0's port will resolve this issue.
Hope this helps, Mike ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stealth mode and openbsd 3.3 Bert Beaudin (May 23)
- Re: stealth mode and openbsd 3.3 MH (May 24)
- Re: stealth mode and openbsd 3.3 Erek Adams (May 27)