Snort mailing list archives

FW: Help!!!

From: <support () nps-dc org>
Date: Sat, 2 Aug 2003 17:11:59 -0400

other people responded to you before my response showed up...  but incase
you still have questions...
 
In a switched network, only frames that are addressed to the MAC of the node
on a specific network segment get sent out that corresponding switch port.
Meaning: your snort sensor won't see any packets unless they're addressed to
it specifically  Example: the first time a switch sees a packet leaving your
newly turned on PC (connected to your switch's port 3) the switch notes the
source MAC address of the frame and this port 3. When ever a frame is
addressed to the MAC address of your new PC comes into the swith, the switch
send these packets down port #3.  If a switch recieves a packet for which it
doesn't have a MAC address on file, it sends it down all ports.
     Only broadcast and directly addressed packets will be seen by your
Snort Sensor when it's directly connected to a switch.
 
Options: 
 
1) as suggested, insert a true 'hub' on which you'll have the Snort box and
any servers/boxes that you want monitored
2) purchase a switch that supports 'spanning' or 'mirroring'
 
#1: does have a performance hit- and the more nodes on there, the more
collisions, etc, but it's a cheap way to do it
#2: cisco Catalysts will do this. I asked the list a question on which is
the most cost effective 8 port switch that will support this spanning
feature, i haven't heard back yet.
 
As far as promiscuous mode...  Ethernet, by design (and on hubs) means that
all the nodes on the local network see all of the traffic.  By definition,
NICs only "pick up" the frames who's "layer 2 TO" header matches their MAC
address.  A NIC in promiscuous mode processes ALL frames that hit the
interface (ie: it's a LAN eaves dropper)
    To see if you NIC is configured like this: try  $ /usr/sbin/tcpdump
(i'm on RH 9.0, yours may be elsewhere) you should see:  listening on eth0 ,
and then a bunch of data flowing by (assuming if you're on a hub) if not,
leave TCP dump running and ping this box form another box; but do get on the
hub as a short term test.  
 
Are you using old hardware?  Some NIC cards don't support promiscuous mode.
 
fernando

-----Original Message-----
From: Brandon Hanks [mailto:hanksbc () knology net] 
Sent: Saturday, August 02, 2003 1:55 AM
To: support () nps-dc org
Subject: Re: [Snort-users] Help!!!


Yes, I'm using a switched network.
 
Don't know about ethernet card being promiscuous mode? (libcap??).  Is that
a setting within snort or during initial install of OS?
 
Thanks

Current thread:

Help!!! Brandon Hanks (Aug 01)
- Re: Help!!! Patrick S. Harper - CISSP (Aug 01)
- RE: Help!!! Tom H (Aug 01)
- <Possible follow-ups>
- RE: Help!!! Schmehl, Paul L (Aug 01)
- FW: Help!!! support (Aug 01)
- FW: Help!!! support (Aug 02)
- Help!!! henrique de lima arabe - PDBL/uoi (Aug 25)
  - Re: Help!!! Matt Kettler (Aug 25)
  - Re: Help!!! Erek Adams (Aug 25)
  - Re: Help!!! Edin Dizdarevic (Aug 26)
- RE: Help!!! David (Aug 25)