Snort mailing list archives

RE: Taps, Rx Only Cables & Hubs - Which one(s)?

From: "Mike Walter" <mwalter () 3z net>
Date: Tue, 8 Jun 2004 10:41:32 -0400

Jim,    
        Try going into your switch management and mirroring the port on
the switch that the firewall is connected to.  Then plug your second NIC
in your SNORT box into the mirrored port and that will be the sniffer
NIC.
        Hope that helps.

Mike Walter
PCD Network Solutions, Inc.
3z.net a PCD Company
<http://www.3z.net>


-----Original Message-----
From: Jim Richards [mailto:jrichards () meandaur com] 
Sent: Tuesday, June 08, 2004 10:12 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Taps, Rx Only Cables & Hubs - Which one(s)?


I'm trying to get Snort running on Win2K with MSSQL...so far I have been
successful.  The next step is to implement it into the network in
receive only mode (stealth) but I am seeing conflicting configurations
for this in the mail list archives and on the web.  From what I've
gathered, using a tap and a receive only cable is the only way this
works but it won't work when going to a switch?  Here was my orginal
thinking:

Firewall ------  Tap  -------  Switch to Network
                    |
                  Snort

I made my own tap via:  http://www.snort.org/docs/tap/

It says it can be used on any hub or switch and any OS.  But, I get no
link on the Snort box and no data coming in.  According to the mail list
archives, I need to add the Rx only cable...after diagraming it out with
the tap, basically it would mean just tying pins 1&2 on the Snort NIC
together:

TAP
                                
A                   Host Host   B
1     |----------       1----1  1
2     | |--------       2----2  2
3-----| |               3----3------3
4         |             4----4------4
5         |             5----5  5
6-------|               6----6  6
7                       7----7  7
8                       8----8  8


                Rx Only Cable           
        Host            IDS     
     |--------1         1---|
     |    |---2         2---|
     |---|----3---------3       
          |       4             4       
          |       5             5       
          |---6---------6       
                  7             7       
                  8             8       


 

So what we have here is basically after all is done is a pile of wires
that does nothing because pins 1&3 and 2&6 on both "host" sides are tied
together thus, no pass thru of data.  


I have seen several people recommend a Rx only cable and a hub...but
then what is the point of having a tap?  Isn't the Rx cable and the hub
acting as your tap?  Not to mention, this hub then becomes the single
point of failure.  In a highly redundany environment, this just won't
work.  Anyone out there that can give me any idea on how to implement
this? I've got my ears wide open because my brain is a pile of jello at
this point...  =)


Thanks!

Jim Richards
IT Manager
www.meandaur.com
+1 847 296 2300 x 233
+1 847 296 7975
jrichards () meandaur com
Visit Meandaur at the Jupiter Media / Search Engine Strategies
Conference August 2-5 in San Jose, CA.



-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users


-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Taps, Rx Only Cables & Hubs - Which one(s)? Jim Richards (Jun 08)
- Re: Taps, Rx Only Cables & Hubs - Which one(s)? Rich Adamson (Jun 08)
- Re: Taps, Rx Only Cables & Hubs - Which one(s)? Matt Kettler (Jun 08)
  - Snort + Guardian + Acid dont run Franco Catena (Jun 09)
    - Re: Snort + Guardian + Acid dont run Alejandro Flores (Jun 09)
    - Re: Snort + Guardian + Acid dont run pvm (Jun 09)
- <Possible follow-ups>
- Taps, Rx Only Cables & Hubs - Which one(s)? Jim Richards (Jun 08)
- Taps, Rx Only Cables & Hubs - Which one(s)? Jim Richards (Jun 08)
- RE: Taps, Rx Only Cables & Hubs - Which one(s)? Mike Walter (Jun 08)