Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: A Couple of Questions

From: "Lars Borland" <lborland () TriadAssoc com>
Date: Fri, 31 Jan 2003 13:42:16 -0800
There is software like WildPacket's EtherPeek that is able to detect
"error packets".  I imagine a failing NIC would generate lots and
therefore give itself away.  I understand what Eli is saying regarding
this but, depending on the errors, I'd think some of them would make it
to the IP layer.  

I also just read this off the WildPackets/EtherPeek site and I think I
may be wasting my time with this...  "Error Packet Capture:  EtherPeek
has the ability to capture error packets on the network. These errors
include: Runt, Oversize, Frame Alignment, and CRC. Most adapters on the
market discard error packets automatically. To capture errors, you must
use one of the supported error capture cards with a special WildPackets
driver installed."  If most modern NICs discard error packets then
there's neither any harm done nor will any error packets be seen by
Snort prior to being discarded (without the spiffy/castrated NIC and
WildPackets Drivers(TM) that is).  Thanks for bearing with me regarding
this.

Talk to you all later, Lars.


-----Original Message-----
From: twig les [mailto:twigles () yahoo com] 
Sent: Friday, January 31, 2003 11:50 AM
To: Lars Borland; Morgan R. Elmore; snort-users () lists sourceforge net
Subject: RE: [Snort-users] A Couple of Questions


I have caught an errant NIC before (bad driver) using
the eval of sniffer pro.  All I noticed was that one workstation was
blabbing ten times more than the others and the lady sitting at the
station was in finance and had no idea what a driver was.

As for Snort detecting this, the NIC would have to
break a rule and send bad packets like same
source/dest or something.  I have seen our glorious
firewall vendor do this many times, and when
tcpdumping the packets to see wth is going on the
packets had bad checksums and were being dropped at
the switch interface.  


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: