Snort mailing list archives
RES: A Couple of Questions [Snort-users]
From: "Romulo M. Cholewa" <rmc () rmc eti br>
Date: Sat, 1 Feb 2003 02:43:48 -0300
A reminder: If you have a switched network, you can always look into the switch management software or statistics. Most of the time they come with a CRC error count per port. That would give away a faulty NIC or cable. If you are trying to get warned about these kind of problems, you also have the option of using snmp traps. Most managed switches can be configured to send traps if they encounter a bad frame error / crc error, or if the error count is higher than a preconfigured threshold. But your question reminds me of a time when I was able to use LANalyzer :D Romulo M. Cholewa Home : http://www.rmc.eti.br Forum: http://zeus.rmc.eti.br/forum PGP Keys Available @ website. ]-----Mensagem original----- ]De: Lars Borland [mailto:lborland () TriadAssoc com] ]Enviada em: sexta-feira, 31 de janeiro de 2003 18:42 ]Para: twig les; Morgan R. Elmore; snort-users () lists sourceforge net ]Assunto: RE: A Couple of Questions ] ] ]There is software like WildPacket's EtherPeek that is able to ]detect "error packets". I imagine a failing NIC would ]generate lots and therefore give itself away. I understand ]what Eli is saying regarding this but, depending on the ]errors, I'd think some of them would make it to the IP layer. ] ]I also just read this off the WildPackets/EtherPeek site and I ]think I may be wasting my time with this... "Error Packet ]Capture: EtherPeek has the ability to capture error packets ]on the network. These errors ]include: Runt, Oversize, Frame Alignment, and CRC. Most ]adapters on the market discard error packets automatically. To ]capture errors, you must use one of the supported error ]capture cards with a special WildPackets driver installed." ]If most modern NICs discard error packets then there's neither ]any harm done nor will any error packets be seen by Snort ]prior to being discarded (without the spiffy/castrated NIC and ]WildPackets Drivers(TM) that is). Thanks for bearing with me ]regarding this. ] ]Talk to you all later, Lars. ] ] ]-----Original Message----- ]From: twig les [mailto:twigles () yahoo com] ]Sent: Friday, January 31, 2003 11:50 AM ]To: Lars Borland; Morgan R. Elmore; snort-users () lists sourceforge net ]Subject: RE: [Snort-users] A Couple of Questions ] ] ]I have caught an errant NIC before (bad driver) using ]the eval of sniffer pro. All I noticed was that one ]workstation was blabbing ten times more than the others and ]the lady sitting at the station was in finance and had no idea ]what a driver was. ] ]As for Snort detecting this, the NIC would have to ]break a rule and send bad packets like same ]source/dest or something. I have seen our glorious ]firewall vendor do this many times, and when ]tcpdumping the packets to see wth is going on the ]packets had bad checksums and were being dropped at ]the switch interface. ] ] ]------------------------------------------------------- ]This SF.NET email is sponsored by: ]SourceForge Enterprise Edition + IBM + LinuxWorld =omething 2 ]See! http://www.vasoftware.com ]_______________________________________________ ]Snort-users mailing list ]Snort-users () lists sourceforge net ]Go to this URL to change user options or unsubscribe: ]https://lists.sourceforge.net/lists/listinfo/sn]ort-users ] ]Snort-users list archive: ]http://www.geocrawler.com/redir-sf.php3?list=ort-users ] ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RES: A Couple of Questions [Snort-users] Romulo M. Cholewa (Jan 31)