Re: Install location

[Seth Art <sethart () gmail com>]

If you only care about the traffic going to the machine that snort is
running on then you don't need a hub.  If you would like snort to be
able to see the traffic to/from all the machines on your lan you need
a hub.  A switch is *smart* enough to let traffic to host A only be
seen by host A, and traffic send to host B only to be seen by host B. 
This cuts down on high load networks.  But if the interface that snort
is on is C, with a router/switch the only thing that snort will see is
traffic sent C.  A hub is "dumb" however and and sends all traffic to
all ports.  A will see traffic to/from a/b/c, B will see traffic
to/from a/b/c.  But most importantly, the snort interface C will see
all traffic sent to A, B, and C.

By default A and B will ignore the traffic sent to them but addressed
to the other hosts.  But Snort will turn on promiscuous mode which
will let C accept all of A,B, and C's traffic.

That... is why you need a hub.  

As far as bridging, that is something between your router/switch and
DSL modem.  If everything is working fine now without bridging adding
a hub or using snort will not affect it at all.

Lastly.  As far as conflicts with the extra interface.. Read the
thread Multi Homed Sensor

Q. How do I configure snort to listen on eth1 but report out on eth0?
A. I have mine configure with eth0 being connected to the SPAN port
(in your case this will be a hub) which is configured just as:

# ifconfig eth0 up

so has no IP address etc. I think snort will kick it into promiscuous
mode, but if not, you can manually do it by #ifconfig eth0 promisc

snort takes a command line parameter '-i eth0' to tell it which
interface to use, and eth1 is set up "as usual", with IP address,
netmask and default gateway set. Linux is clever enough to use eth1
for all communications.

cheers,
Jamie

Basically you still have some reading to do.  The more reading you do
the more all of this will make sense.  Good luck.

-Seth



On Fri, 14 Jan 2005 20:49:59 +0100, Eckhardt Newger <enewger () gmx de> wrote:
> Hi Seth Art,
>
> Thanks for your reply. So it seems feasible to use an existing
> workstation for a snort installation. Fine.
>
> All my traffic is handled by a D-Link 614+: it acts as switch for my LAN
> clients, as AP for wireless LAN clients, and as router to connect to the
> Internet via a separate DSL modem. So do you see any need to
> additionally install a hub? Network traffic is moderate, so performance
> considerations don't have to be taken into account here.
>
> I*ve read somewhere that I might be obliged to do port brigding when
> using a switch. I must confess that I'm totally unclear about this.
>
> Finally, should I give Snort an Ethernet card on ist own to connect to
> the LAN, and, if so, how to avoid conflicts with the already installed
> Ethernet card used by the workstation for its normal network traffic?
>
> Any further hints are higly welcome.
>
> Best regards
>
> Eckhardt Newger


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users