Snort mailing list archives
Re: Snort and switches??
From: Dan Ferris <dferris () maad com>
Date: Fri, 29 Aug 2003 10:14:42 -0600
If you are using Linux (and maybe the BSDs as well) you can insert the bridge module which will turn your box into a poor man's ethernet bridge. Place the bridge in line to see all the traffic going to and from the switch and sniff away. This is what we do here and it works nicely. Just make sure that you have NO ip addresses on your interfaces.
Hugh Brown wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not necessarily. There are indeed methods to "sniff" on any sort of switch. Mac Address flooding comes to mind. The old ettercap program does this sort of thing. Another is to simply insert a tap, depending on your setup, in the uplink path (www.netoptics.com for example). I dimly remember that SANS has some docs on "sniffing on a switched network" somewhere on their site. The real question is just how far are you willing to go to sniff a switch. MacAddress flooding, etc are probably NOT going to be your first choices for an everyday operation. Failing details that I don't have handy at the moment, I'll point you to the ultimate research tool...www.google.com. Between it and the docs you'll find on snort.org and sans.org you should be able to find something that will work for you. Emre Bastuz wrote:| In case the switches are unmanaged, i.e. they have no way of configuring| a so called SPAN port or similar feature, you will have no chance of monitoring | traffic on that particular switch. | | No way :( | | Emre | - -- Hugh Brown Computational Science & Information Technology Florida State University 400 Dirac Science Center Library Tallahassee, Florida 32306-4120 brown () csit fsu edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/T2P6aKJpeC2mfHARArMQAKCIJxVJY/T4S/qIUmFBJoREYPgtewCeIOTq W98J7i8rGe9SjVfV7J36sSc= =PSeJ -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and switches?? Edward Marshall (Aug 28)
- Re: Snort and switches?? Emre Bastuz (Aug 29)
- Re: Snort and switches?? Hugh Brown (Aug 29)
- Re: Snort and switches?? Dan Ferris (Aug 29)
- Re: Snort and switches?? Bryan Irvine (Aug 29)
- Re: Snort and switches?? Hugh Brown (Aug 29)
- Re: Snort and switches?? Erek Adams (Aug 29)
- Re: Snort and switches?? Emre Bastuz (Aug 29)