Snort mailing list archives
strange promiscous mode behavior
From: "Ben Keepper" <bkeepper () Paladinss com>
Date: Thu, 31 Jan 2002 22:04:20 -0800
I am having a fit trying to figure this one out. 2 Demarc/Snort sensors. One has three NICs with one NIC to a hub between the router and firewall, one to a hub in the DMZ, and one to the inside network as a management interface. All this data goes to a dual-homed box that has one interface snorting on the inside network, and the other interface being the main SID/MYSQL/DEMARC NIC for the whole network. The box that is monitoring the DMZ and outside network is using the same dual Intel NIC to watch these segments. The DMZ interface is working perfectly, but the interface on the outside network refuses to see packets. A tcpdump reveals the arps, but no real data. Even giving the NIC an IP address within the external IP address range of the firewall and then in promisc mode reveals no data unless the packets are directed at that specific IP. The hub (Netgear DS-16) in the DMZ and the external net are identical, so I don't think its the hub, and, like I said this is a dual port card, with one port perfectly content, and the other not seeing anything. What gives? Shouldn't I be able to see any data between the router and firewall with a tcpdump? TIA, Ben Ben Keepper Security Engineer "I like to play with things awhile... before annilation" -Emperor Ming the Merciless _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- strange promiscous mode behavior Ben Keepper (Jan 31)
- Re: strange promiscous mode behavior Erek Adams (Jan 31)
- RE: strange promiscous mode behavior Chris Grout (Jan 31)
- Re: strange promiscous mode behavior Jason Haar (Feb 03)