RE: External snort monitoring

[Steve Halligan <agent33 () geeksquad com>]

> I called
> Linksys to verify that this is a hub and not a switch. and i 
> do not need to
> set an IP for the sensor correct?
>
> > I have my cable modem hooked into a Linksys 5 port hub and 
> I also have
> > a snort sensor configured on the hub to catch all traffic 
> coming to my
> > network. from the 5 port hub it connects into a Linksys 
> router which is
> > where my server is located. my question is why can i catch 
> traffic on
> > my internal snort sensor connected to the Linksys router, 
> but all I can
> > see are ARP requests on the external snort sensor which is 
> connected to
> > the hub? anyone have any ideas?
This Linksys Cable "router" has a 4 or 5 port "hub" built into it, right?
Is that hub, or your linksys hub 10/100?  Or are they both strictly 10?  My
guess is that the NIC in the snort box is a 10, the one in the server is a
100, the eth interface on the cable modem is a 100.  A 10/100 hub is in most
cases actually like a 10 hub and a 100 hub hooked up with a 2 port switch.
The 10 side will never see traffic that starts and ends on the 100 side.

-Steve

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users