Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort and Promiscuos Mode

From: François Désarménien <francois () fdesar net>
Date: Tue, 9 Oct 2001 19:24:55 +0200
Tue, 09 Oct 2001 12:40:16 -0400
"Frontgate Lab" <mdiwan () wagweb com> wrote:


Hello everyone.. Just a few quick questions about Snort 
and Promiscuous mode on an Ethernet NIC. 

What are the consequenses of NOT enableing Promiscuos mode on the NIC
and still running snort on it?


You won't see traffic with MAC addresses that aren't the one running Snort. 



IE what Situations would I be able to see traffic that is pertinent and
in what situations would i not see something i should be watching out
for?


You'll mostly be blind.



Most often the environment that Snort runs in 
is Switched sometimes these swithches are Vlan-ed, sometimes the switch
is flat.
It is unusual that the switch mirrors all its traffic to one switch
port..but i can set up environments where this is possible.. what is the
best approach for Snort IDS?


I like to put it on a hub between the external router and the switch. It
is also possible to setup a monitor port on some switches. This is good too.



 Does running IDS on a switched port without promiscuos mode have any
advantages for me
 if the IDS is running on a firewall ? 


IMHO, the NIDS should never be run on a firewall : you must ban out for your
firewalls every applications that could make it fail or grab its resources,
which in fact Snort can easily do. An NIDS should be a dedicated system. 


 
One of the problems with promiscous mode in some of my environments is
that it seems to suck packets away from thier intended targets,
especially in UDp environs.. has anyone else experienced this?



Promiscuous mode is purely passive : it doesn't << eat >> anything. The
frame is transmitted through the entire network, eventually filtered by
switches, and the NIC just catch the signal, but instead of ignoring it
because it's not its MAC address, it forwards it up to the IP layer.


Are there any drawbacks to running snort on an interface without an
IP?.. ie could i still put it into promiscuous mode if i had to and why
would i want to do that?


Works fine and it's much better IMHO. You can also setup a RO cable,
but be aware that some switches and hubs 10/100 Mbit/s need to get
traffic to setup correctly the link. 



Please forgive some of the above redundency in language i simply want to
explain my questions as clearly as possible.

Thank you for any  input to this topic.


Welcome.

F.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: