Snort mailing list archives

RE: Snort not seeing all traffic?

From: "PJ-ML" <p.jones.ml () xsb com>
Date: Thu, 24 Apr 2003 09:14:53 -0400

The Hub is a Linksys Etherfast 10/100 Hub. All 3 links are operating at
100...that was a great point and I was hoping that would be it. 

I wanted to point out that Snort does come up with some traffic, just not
all...meaning it does not and has not seen attacks/port scans, deliberate or
otherwise, on the firewall and the IP addresses it handles. It does see
traffic/alerts for a server on the switch below it...Not sure where to go
from here...Should I post my snort.eth1.conf file?

~PJ

-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com] 
Sent: Wednesday, April 23, 2003 5:43 PM
To: p.jones.ml () xsb com; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort not seeing all traffic?


First question:

Is the "hub" a 10/100 dual-speed hub?

If so:
  what speed is the interface from the hub to router?
  what speed is the interface from the hub to the switch?
  what speed is the interface from the hub to eth1 on the IDS box?

If all three numbers are not the same, that's your problem. The 10/100 
"auto switching" hubs are network-wise equivalent to a pair of hubs 
connected by a 2-port switch (also called an ethernet bridge if you want to 
get technical about it, and some of these hubs call themselves "auto 
bridging" instead of "auto switching")

10mbit hub      ----- switch ------- 100 mbit hub

Thus if there's mismatch in speeds (ie: the snort box is the only 100mbit 
connection and the other 2 are 10mbit), it won't actually see the traffic 
because of the internal switch between the two speeds.

At 03:17 PM 4/23/2003 -0400, Patrick Jones wrote:

Snort 1.9.1
Red Hat 8.0
2 NICs
Eth0 10.x.x.x
Eth1 no address
Installed ACID

Topology:
Router - Hub - Switch - Firewall - Internal Network
          |                          |
          |                          |
        (Eth1)                       |
        IDS(eth0)------------------/





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort not seeing all traffic? Patrick Jones (Apr 23)
- Re: Snort not seeing all traffic? Matt Kettler (Apr 23)
  - RE: Snort not seeing all traffic? PJ-ML (Apr 24)
    - Re: Snort not seeing all traffic? Erick Mechler (Apr 24)
    - Snort is not seeing all traffic... PJ-ML (May 07)
    - Re: Snort is not seeing all traffic... Matt Kettler (May 08)
    - Re: Snort is not seeing all traffic... PJ-ML (May 08)
  - Message not available
    - Re: Snort not seeing all traffic? Erick Mechler (Apr 24)
    - Re: Snort not seeing all traffic? PJ (Apr 24)
    - Re: Snort not seeing all traffic? Erick Mechler (Apr 24)
- <Possible follow-ups>
- Re: Snort not seeing all traffic? PJ (Apr 24)