Snort mailing list archives
RE: A Couple of Questions
From: "Lars Borland" <lborland () TriadAssoc com>
Date: Fri, 31 Jan 2003 13:42:16 -0800
There is software like WildPacket's EtherPeek that is able to detect "error packets". I imagine a failing NIC would generate lots and therefore give itself away. I understand what Eli is saying regarding this but, depending on the errors, I'd think some of them would make it to the IP layer. I also just read this off the WildPackets/EtherPeek site and I think I may be wasting my time with this... "Error Packet Capture: EtherPeek has the ability to capture error packets on the network. These errors include: Runt, Oversize, Frame Alignment, and CRC. Most adapters on the market discard error packets automatically. To capture errors, you must use one of the supported error capture cards with a special WildPackets driver installed." If most modern NICs discard error packets then there's neither any harm done nor will any error packets be seen by Snort prior to being discarded (without the spiffy/castrated NIC and WildPackets Drivers(TM) that is). Thanks for bearing with me regarding this. Talk to you all later, Lars. -----Original Message----- From: twig les [mailto:twigles () yahoo com] Sent: Friday, January 31, 2003 11:50 AM To: Lars Borland; Morgan R. Elmore; snort-users () lists sourceforge net Subject: RE: [Snort-users] A Couple of Questions I have caught an errant NIC before (bad driver) using the eval of sniffer pro. All I noticed was that one workstation was blabbing ten times more than the others and the lady sitting at the station was in finance and had no idea what a driver was. As for Snort detecting this, the NIC would have to break a rule and send bad packets like same source/dest or something. I have seen our glorious firewall vendor do this many times, and when tcpdumping the packets to see wth is going on the packets had bad checksums and were being dropped at the switch interface. ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A Couple of Questions Lars Borland (Jan 30)
- <Possible follow-ups>
- RE: A Couple of Questions Morgan R. Elmore (Jan 30)
- RE: A Couple of Questions Lars Borland (Jan 31)
- Re: A Couple of Questions Eli Stair (Jan 31)
- RE: A Couple of Questions twig les (Jan 31)
- RE: A Couple of Questions Lars Borland (Jan 31)