Re: Is it really a HUB?

["Marc Quibell" <mquibell () fbfs com>]

"as long as one keeps one's box from transmitting
any data, the hub/switch will not learn its MAC address, and should send
it everything."

Actually, it will send it nothing at all....

And about the SPAM response, I never got SPAM until I joined this group, because
I've kept this email addy to myself. Now I get the SWEN WORM (yes folks, once
again, that is the "Microsoft Patch" email worm) all of the time, not to mention
SPAM. I don't see how it can be so difficult to digest lists and not post
sender's email addy's, including email addy's in the content.

Cheese!

Marc

--__--__--

> Message: 9
> Date: Mon, 27 Oct 2003 20:15:55 -0500
> From: "Kristofer T. Karas" <ktk () enterprise bidmc harvard edu>
> To: Snort Users <snort-users () lists sourceforge net>
> Subject: Re: [Snort-users] Is it really a HUB?

> Petriz, Pablo wrote:

> > I'm looking for an 'old fashioned' hub but it seems to be difficult to find
> > it.  I want to connect my Snort to a 100Mbps hub, i've tried with a cheap
> > Encore hub, but it works like a switch, and Snort can't see the traffic.

> I'd love to know the general consensus on this one too, as I'm faced
> with data that flows over multiple routes as old infrastructure is
> gradually replaced with new, causing my snort box to see less and less
> of the spanned data.  I also have two separate monitoring boxes, one
> running Win2K and one Slackware Linux, both of which would like to vie
> for the now two spanned ports on my routers (one old, one new).

> Although I could combine two streams in Linux with multiple NICs and
> then fast-bridge the result to the Win2K box on yet another NIC, this
> seems excessive and data intensive.  I'd rather use a simple four-port hub.

> Q: for the list (I just know I'll get whacked with the faq for posting
> before I RTFM).  Since those auto speed sensing mini switches are
> address-learning boxes, as long as one keeps one's box from transmitting
> any data, the hub/switch will not learn its MAC address, and should send
> it everything.  For Win2K that means omitting the stacks from any
> association with the hardware interface; in Linux, not assigning an IP
> address, and turning off the "arp" and "broadcast" flags.  True???

> Kris Karas
> Technical Security Engineer, CareGroup, Boston

> ObSPAM: Reading the whole spam discussion reminded me for some totally
> silly reason of the scene in Monty Python's _Life of Brian_ where one
> poor fellow jumps up and down repeatedly yelling "jehovah" because he
> can't imagine being any more vexed.  Well, recently reported stats put
> SPAM at >50% of Internet mail.  Hah!  I checked my mail today - 4
> messages to me, 137 spam.  So I really don't care who else has my email
> address; it can't get any worse.  Jehovah!  Jehovah!  :-)




-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users