Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort not seeing all traffic?

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 23 Apr 2003 17:43:27 -0400
First question:

Is the "hub" a 10/100 dual-speed hub?

If so:
 what speed is the interface from the hub to router?
 what speed is the interface from the hub to the switch?
 what speed is the interface from the hub to eth1 on the IDS box?
If all three numbers are not the same, that's your problem. The 10/100 "auto switching" hubs are network-wise equivalent to a pair of hubs connected by a 2-port switch (also called an ethernet bridge if you want to get technical about it, and some of these hubs call themselves "auto bridging" instead of "auto switching") 

10mbit hub      ----- switch ------- 100 mbit hub
Thus if there's mismatch in speeds (ie: the snort box is the only 100mbit connection and the other 2 are 10mbit), it won't actually see the traffic because of the internal switch between the two speeds. 

At 03:17 PM 4/23/2003 -0400, Patrick Jones wrote:

Snort 1.9.1
Red Hat 8.0
2 NICs
Eth0 10.x.x.x
Eth1 no address
Installed ACID

Topology:
Router - Hub - Switch - Firewall - Internal Network
          |                          |
          |                          |
        (Eth1)                       |
        IDS(eth0)------------------/




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: