Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: stealth mode and openbsd 3.3

From: MH <procana () insight rr com>
Date: Sat, 24 May 2003 06:38:24 -0400
Hi Bert,
You mentioned that both interfaces are plugged into the same *hub*. However, both interfaces are listed as operating full-duplex. Is this a hub or a switch? A hub does not support full-duplex connections (shared bandwidth etc. etc. etc. :) ). If this is a switch (not a hub), sis0 would not be able to 'see' the data unless you mirror to its port.
If you have not already done this, try running tcpdump -nXi sis0 or snort -vdei sis0 when you run the tests. 
Is sis0 able to 'see' the data?
My guess is that this is a switch and you are running the test attacks through rl0. If this is true, that explains why snort will generate the alerts when listening on rl0 and not sis0. If this is correct, mirroring to sis0's port will resolve this issue. 

Hope this helps,
Mike




-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: