Re: Snort config and setup Need you help - Please!

[Matt Kettler <mkettler () evi-inc com>]

Arthur Chilipweli wrote:
> Hi,
> Please Someone may be able to guide me in the right direction ( I am a
> new bee on snort and Unix) I am not sure where I am going wrong I have
> Installed Snort on a 1.3 Mhz PC with 512 RAM, and is working fine
> (logging traffic towards the box and the NIC where is installed), but my
> problem I have is the only traffic I can see and is getting logged is
> only towards the box I have snort installed, brief setup I have is like this
>
> I have three machines Win 2000, Win Adv serve 2003 and Fedora core
> 3(Snort is installed) all have 1 NIC in them, all Connected to a hub and
> the hub is connected to my Router and to my Cable Modem, I thought (but
> may be I am wrong) that snort will be able to log all traffic on my tiny
> network as long as I define my HOM_NET Correct.

Is the "hub" a "dual speed 10/100" hub, or a true single speed hub (rare these
days, especially the 100mbit variety).

If the "hub" is a dual-speed version, 99.9% of the time it's actually more like
a half-duplex version of a switch, and your snort box won't see traffic being
sent to other machines in the network.

There always has to be some form of switching in a dual-speed hub, as it
otherwise would degrade in performance to be the same as a 10 mbit hub.


low-to-moderate-cost Options:
1) get a true 10mbit hub, and replace your dual speed with that. Downside is
network performance will be slow going between the pc's. The other downside is
few people still make these, so you may have to look at online liquidators to
find one.

2) get a 10mbit hub and use it as a cheap tap, place it between the dual-speed
and your cable modem and attach snort to that. This way snort will see
everything passing between your machines and the Internet. However, it won't see
anything sent between the boxes themselves. Internet bandwidth will be limited
to about 4mbit/sec (less than 10mbit due to collisions), but unless your
cablemodem is faster than that you won't notice.

3) buy or build a passive network tap, but this will require your snort box to
have 2 nics dedicated to sniffing.

4) buy a smart switch which is capable of port mirroring. The cheapest I know of
is the netgear FSM726, costs about $200. Attach the snort box to a port and make
it mirror whatever ports you want to monitor. If you monitor internal ports I'd
suggest using one of the gig ports as a mirror and a gig nic in your snort box.
(a saturated 100mbit link monitored in both directions is 200mbit of traffic.)






-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users