Snort mailing list archives

Re: Is it really a HUB?

From: "Petriz, Pablo" <ppetriz () siscat com ar>
Date: Wed, 26 Nov 2003 14:57:22 -0300

I want to know if someone on this list is using the Cisco 1538 Micro Hub for
snorting.

In the overview pdf of this product says:

- Autosensing on all ports allows automatic configuration for either 10BaseT
or
100BaseT connections.
- Built-in high-speed bridge function automatically connects 10BaseT and
100BaseT
workstations without an external switch or router.
- Embedded switch supports store-and-forward switching and filtering and
forwarding
rate at full-wire speed.

So i don't know if snort will see all the traffic on it...

Thanks,

PABLO

Date: Wed, 29 Oct 2003 15:42:00 -0500
From: "Kristofer T. Karas" <ktk () enterprise bidmc harvard edu>
To: snort-users () lists sourceforge net
CC: Darryl Luff <dluff () iitscdm com au>
Subject: Re: [Snort-users] Is it really a HUB?

Darryl Luff wrote:

It works as you say. Except that if your station never transmits 
anything, the switch will not learn your MAC, and will flood all 
traffic addressed TO YOU out all ports.  [snip]


Thanks...

Right, that was the very thought that hit me in the head the 
other night 
as I pondered the issues further.  The router with the spanned port 
talks to a small handful of other routers; the only MAC 
addresses seen 
coming in to the hub from that port will therefore be those 
of the other 
routers, all of which will make their way into the hub's MAC table.  
Thus, within a few seconds or so, the small hub will not send 
anything 
to the IDS because it knows that the source and destination MACs all 
reside on the port connected to the router's spanned port; 
ergo, there 
is no need to copy the packets to any of its (the hub's) other ports. 

Bugger.   I guess I need to find somebody that makes a small 4-port 
switch where one can configure a port as a promiscuous 
listening interface.

Kris



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Is it really a HUB?, (continued)
- - Re: Is it really a HUB? Jason Haar (Oct 25)
    - Re: Is it really a HUB? Rich Adamson (Oct 25)
  - Re: Is it really a HUB? Mike Cojocea (Oct 27)
- Re: Is it really a HUB? Kristofer T. Karas (Oct 27)
- Re: Is it really a HUB? Marc Quibell (Oct 28)
  - Re: Is it really a HUB? Kristofer T. Karas (Oct 28)
    - Re: Is it really a HUB? Darryl Luff (Oct 28)
    - Re: Is it really a HUB? Kristofer T. Karas (Oct 29)
- Re: Is it really a HUB? Marc Quibell (Oct 28)
- RE: Is it really a HUB? Potts, Ross A. (Oct 29)
- Re: Is it really a HUB? Petriz, Pablo (Nov 26)
  - Re: Is it really a HUB? Matt Kettler (Nov 26)
    - Re: Is it really a HUB? kenw (Nov 27)
    - Re: Is it really a HUB? Matt Kettler (Nov 28)
    - Re: Is it really a HUB? kenw (Nov 28)
    - Re: Is it really a HUB? Matt Kettler (Nov 28)
    - Re: Is it really a HUB? kenw (Nov 28)
- RE: Is it really a HUB? bmcdowell (Nov 28)