Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: FAQ 10/100 Hubs Block Other Speed Traffic

From: Dragos Ruiu <dr () kyx net>
Date: Thu, 9 Aug 2001 02:16:20 -0700
There's other good stuff in the FAQ too.  
Good detailed info in the second url. --dr

3.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q:  How do I setup snort on a 'stealth' interface?

A:  Bring up the interface without an IP address on it. See FAQ 3.2...
    http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/
A:  Use an ethernet tap, or build your own 'receive-only' ethernet cable.
    http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm
A:  Anyway, here is the cable I use:

    LAN Sniffer
    1 -----\ /-- 1
    2 ---\ | \-- 2
    3 ---+-*------- 3
    4 - | - 4
    5 - | - 5
    6 ---*-------- 6
    7 - - 7
    8 - - 8

    Basically, 1 and 2 on the sniffer side are connected, 3 and 6
    straight through to the LAN. 1 and 2 on the LAN side connect to 3 and
    6 respectively. This fakes a link on both ends but only allows
    traffic from the LAN to the sniffer. It also causes the 'incoming'
    traffic to be sent back to the LAN, so this cable only works well on
    a hub. You can use it on a switch but you will get ...err...
    interesting results. Since the switch receives the packets back in on
    the port it sent them out, the MAC table gets confused and after a
    short while devices start to drop off the switch. Works like a charm
    on a hub though.




On Wed, 08 Aug 2001, you wrote:

Excellent point, which raises a slightly off topic question.

Could we imagine making a special "tapping" CAT5 cable, that would, on one
end of the cable have an extra twisted pair comming out (connected on the Rx
on the normal wires) that would be used for tapping, by feeding those to the
snort Box ?
I realise, that if it worked, it would limit either incoming or outgoing
traffic to be monitored, but still it's a very, very cheap solution when you
can go for a switch that has port mirroring.

Murphy.


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of
stefmit () starband net
Sent: Thursday, August 09, 2001 00:40
To: snort-users () lists sourceforge net
Subject: [Snort-users] Re: FAQ 10/100 Hubs Block Other Speed Traffic


Great descriptions - just to throw in a "minor" thing: if you deal with
full duplex on a switched port, only a tap would save you - have
succesfully used Shomiti's ones on 100MB FD ports, and used two
Snort instances, capturing traffic on both directions. Port mirroring
didn't work in that case ...

Stef


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: