Snort mailing list archives

Re: Is it really a HUB?

From: "Kristofer T. Karas" <ktk () enterprise bidmc harvard edu>
Date: Mon, 27 Oct 2003 20:15:55 -0500

Petriz, Pablo wrote:

I'm looking for an 'old fashioned' hub but it seems to be difficult to find
it.  I want to connect my Snort to a 100Mbps hub, i've tried with a cheap
Encore hub, but it works like a switch, and Snort can't see the traffic.

I'd love to know the general consensus on this one too, as I'm facedwith data that flows over multiple routes as old infrastructure isgradually replaced with new, causing my snort box to see less and lessof the spanned data. I also have two separate monitoring boxes, onerunning Win2K and one Slackware Linux, both of which would like to viefor the now two spanned ports on my routers (one old, one new).

Although I could combine two streams in Linux with multiple NICs andthen fast-bridge the result to the Win2K box on yet another NIC, thisseems excessive and data intensive. I'd rather use a simple four-port hub.

Q: for the list (I just know I'll get whacked with the faq for postingbefore I RTFM). Since those auto speed sensing mini switches areaddress-learning boxes, as long as one keeps one's box from transmittingany data, the hub/switch will not learn its MAC address, and should sendit everything. For Win2K that means omitting the stacks from anyassociation with the hardware interface; in Linux, not assigning an IPaddress, and turning off the "arp" and "broadcast" flags. True???


Kris Karas
Technical Security Engineer, CareGroup, Boston

ObSPAM: Reading the whole spam discussion reminded me for some totallysilly reason of the scene in Monty Python's _Life of Brian_ where onepoor fellow jumps up and down repeatedly yelling "jehovah" because hecan't imagine being any more vexed. Well, recently reported stats putSPAM at >50% of Internet mail. Hah! I checked my mail today - 4messages to me, 137 spam. So I really don't care who else has my emailaddress; it can't get any worse. Jehovah! Jehovah! :-)




-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Is it really a HUB? Petriz, Pablo (Oct 24)
- Re: Is it really a HUB? Craig Paterson (Oct 24)
  - Re: Is it really a HUB? Jason Haar (Oct 25)
    - Re: Is it really a HUB? Rich Adamson (Oct 25)
  - Re: Is it really a HUB? Mike Cojocea (Oct 27)
- Re: Is it really a HUB? Kristofer T. Karas (Oct 27)
- <Possible follow-ups>
- Re: Is it really a HUB? Marc Quibell (Oct 28)
  - Re: Is it really a HUB? Kristofer T. Karas (Oct 28)
    - Re: Is it really a HUB? Darryl Luff (Oct 28)
    - Re: Is it really a HUB? Kristofer T. Karas (Oct 29)
- Re: Is it really a HUB? Marc Quibell (Oct 28)
- RE: Is it really a HUB? Potts, Ross A. (Oct 29)
- Re: Is it really a HUB? Petriz, Pablo (Nov 26)
  - Re: Is it really a HUB? Matt Kettler (Nov 26)
    - Re: Is it really a HUB? kenw (Nov 27)
    - Re: Is it really a HUB? Matt Kettler (Nov 28)

(Thread continues...)