Snort mailing list archives

Taps, Rx Only Cables & Hubs - Which one(s)?

From: "Jim Richards" <jrichards () meandaur com>
Date: Tue, 8 Jun 2004 09:12:18 -0500

I'm trying to get Snort running on Win2K with MSSQL...so far I have been successful.  The next step is to implement it 
into the network in receive only mode (stealth) but I am seeing conflicting configurations for this in the mail list 
archives and on the web.  From what I've gathered, using a tap and a receive only cable is the only way this works but 
it won't work when going to a switch?  Here was my orginal thinking:

Firewall ------  Tap  -------  Switch to Network
                    |
                  Snort

I made my own tap via:  http://www.snort.org/docs/tap/

It says it can be used on any hub or switch and any OS.  But, I get no link on the Snort box and no data coming in.  
According to the mail list archives, I need to add the Rx only cable...after diagraming it out with the tap, basically 
it would mean just tying pins 1&2 on the Snort NIC together:

TAP
                                
A                   Host Host   B
1     |----------       1----1  1
2     | |--------       2----2  2
3-----| |               3----3------3
4         |             4----4------4
5         |             5----5  5
6-------|               6----6  6
7                       7----7  7
8                       8----8  8


                Rx Only Cable           
        Host            IDS     
     |--------1         1---|
     |    |---2         2---|
     |---|----3---------3       
          |       4             4       
          |       5             5       
          |---6---------6       
                  7             7       
                  8             8       


 

So what we have here is basically after all is done is a pile of wires that does nothing because pins 1&3 and 2&6 on 
both "host" sides are tied together thus, no pass thru of data.  


I have seen several people recommend a Rx only cable and a hub...but then what is the point of having a tap?  Isn't the 
Rx cable and the hub acting as your tap?  Not to mention, this hub then becomes the single point of failure.  In a 
highly redundany environment, this just won't work.  Anyone out there that can give me any idea on how to implement 
this? I've got my ears wide open because my brain is a pile of jello at this point...  =)


Thanks!

Jim Richards
IT Manager
www.meandaur.com
+1 847 296 2300 x 233
+1 847 296 7975
jrichards () meandaur com
Visit Meandaur at the Jupiter Media / Search Engine Strategies Conference August 2-5 in San Jose, CA.



-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Taps, Rx Only Cables & Hubs - Which one(s)? Jim Richards (Jun 08)
- Re: Taps, Rx Only Cables & Hubs - Which one(s)? Rich Adamson (Jun 08)
- Re: Taps, Rx Only Cables & Hubs - Which one(s)? Matt Kettler (Jun 08)
  - Snort + Guardian + Acid dont run Franco Catena (Jun 09)
    - Re: Snort + Guardian + Acid dont run Alejandro Flores (Jun 09)
    - Re: Snort + Guardian + Acid dont run pvm (Jun 09)
- <Possible follow-ups>
- Taps, Rx Only Cables & Hubs - Which one(s)? Jim Richards (Jun 08)
- Taps, Rx Only Cables & Hubs - Which one(s)? Jim Richards (Jun 08)
- RE: Taps, Rx Only Cables & Hubs - Which one(s)? Mike Walter (Jun 08)