Snort mailing list archives
RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: External snort monitoring)
From: "Franki" <franki () gshop com au>
Date: Thu, 9 Aug 2001 03:42:22 +0800
if you have a dual speed hub, and machines running both speeds (netcards with 10 and 100), would it get around that if you had to nic in the snort machine on the network? one for 10 and one for 100? I just heard this and I am wondering if its something I need to worry about before rollin out snort... rgds Frank -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Dragos Ruiu Sent: Thursday, 9 August 2001 3:16 AM To: swilcoxon () iqmarketing com; lsmithjr () monster-solutions net; fhmiv () mac com Cc: snort-users () lists sourceforge net; snort-users () sourceforge net Subject: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: [Snort-users] External snort monitoring) This _has_ to be put into the FAQ. Does anyone care to try penning/editing the conclusive, concise, and tutorial answer also explaining the operation of the hub that causes Snort/IDS problems...? cheers, --dr On Wed, 08 Aug 2001, swilcoxon () iqmarketing com wrote:
Dual speed hubs act like a switch between the two different speeds. If
your
two machines are at different speeds you won't see the other traffic. S.W.-----Original Message----- From: Larry E. Smith Jr. [mailto:lsmithjr () monster-solutions net] Sent: Wednesday, August 08, 2001 12:01 PM To: Frank McPherson Cc: Snort List (E-mail); Snort Users Subject: Re: [Snort-users] External snort monitoring It shows in the system log as going into promiscuous mode. and I called Linksys to verify that this is a hub and not a switch. and i do not need to set an IP for the sensor correct? ----- Original Message ----- From: "Frank McPherson" <fhmiv () mac com> To: "Larry E. Smith Jr." <lsmithjr () monster-solutions net> Cc: "Snort List (E-mail)" <snort-users () lists sourceforge net>; "Snort Users" <snort-users () sourceforge net> Sent: Wednesday, August 08, 2001 12:11 PM Subject: Re: [Snort-users] External snort monitoring Two ideas: The ethernet interface on your external snort sensor is not in promiscuous mode; or your "hub" is really a switch. On Wednesday, August 8, 2001, at 11:12 AM, Larry E. Smith Jr. wrote:I have my cable modem hooked into a Linksys 5 port hub andI also havea snort sensor configured on the hub to catch all trafficcoming to mynetwork. from the 5 port hub it connects into a Linksysrouter which iswhere my server is located. my question is why can i catchtraffic onmy internal snort sensor connected to the Linksys router,but all I cansee are ARP requests on the external snort sensor which isconnected tothe hub? anyone have any ideas?_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Dragos Ruiu <dr () dursec com> dursec.com ltd. / kyx.net - we're from the future gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- External snort monitoring Larry E. Smith Jr. (Aug 08)
- Re: External snort monitoring Frank McPherson (Aug 08)
- Re: External snort monitoring Frank McPherson (Aug 08)
- Re: External snort monitoring Larry E. Smith Jr. (Aug 08)
- Re: External snort monitoring George D. Nincehelser (Aug 08)
- Re: External snort monitoring Erek Adams (Aug 08)
- Re: External snort monitoring Security @ Monster-Solutions.Net (Aug 08)
- <Possible follow-ups>
- RE: External snort monitoring swilcoxon (Aug 08)
- FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: External snort monitoring) Dragos Ruiu (Aug 08)
- RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: External snort monitoring) Franki (Aug 08)
- RE: FAQ 10/100 Hubs Block Other Speed Traffic Erek Adams (Aug 08)
- RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: External snort monitoring) Rich Adamson (Aug 08)
- Re: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: External snort monitoring) Ramin Alidousti (Aug 08)
- RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: [Snort-users] External snort monitoring) Jason (Aug 08)
- RE: RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: [Snort-users] External snort monitoring) James Friesen (Aug 09)
- RE: RE: FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: [Snort-users] External snort monitoring) James Friesen (Aug 10)
- Question? James Friesen (Aug 10)
- Re: Question? Jed Pickel (Aug 10)
- CODE RED III Mark Spieth (Aug 10)
- Re: CODE RED III Mike Baptiste (Aug 10)
- FAQ 10/100 Hubs Block Other Speed Traffic (was: RE: External snort monitoring) Dragos Ruiu (Aug 08)