Snort mailing list archives
Re: Snort missing traffic...?
From: PJ-ML <p.jones.ml () xsb com>
Date: Thu, 08 May 2003 11:35:27 -0400
Thanks for that insight...I am thinking along the same lines that the hub, Linksys Etherfast Workgroup Hub, is acting like a switch...it does see some traffic but not all...very strange. Has anyone else seen something like this?
Here some more info that occurred to me. It(IDS) will see traffic to itself and other servers that are not behind the firewall...it misses traffic that is destined for the IP addresses that are being protected by the firewall...
Router (10.25.1.1) - - - Hub - - - FTP(10.25.1.6) | |- - - IDS(10.25.1.3) | firewall(10.25.1.2, 10.25.1.5, 10.25.1.7)With that diagram, I see traffic and exploits that are for the IDS and FTP and not any IPs on the firewall...
~PJ At 11:49 AM 5/8/2003, Rich Adamson wrote:
Sounds like the hub is really a switch. Since you didn't mention what type of device it is, I'll mention what we've seen as network consultants that do this type of work all the time. We happen to use a NetGear 4 port hub, but have noticed (for this model only) that if one port is 10 meg and another is 100 meg, it acts as a switch instead. We also have an older 3Com 10/100 24-port hub that does the same thing. Try running snort in sniffer mode from the command line, like... snort -v -n 30 and look at the packets to see if the server's address appears. If you see the server sending broadcast packets, your hub is probably acting as a switch. If you don't see the server at all (you can ping it from another machine) then there is some other problem.> I ran some exploits on the snort server and acid reported them. I ran the> same exploits on a server in the same sub-net and acid does not report any> of this. I looked at the alert file in /var/log/snort and nothing regarding> the exploits run against the other server are there. I am confused. I > specified my HOME_NET, for example 10.25.1.0/24... The snort server is > 10.24.1.24 and the server I also ran exploits on is 10.25.1.20. > > The ethernet link to hub and to other parts of the network are all 100 > base. Could it be the speed of the server? Not sure where to go, I know > that I must tune the server, but I do not know what to tune if it is not > seeing even purposeful exploits...I will be more than happy to give any> more info that anyone requires to help me figure this out...except for the> root password to my machine ;-)
------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort missing traffic...? PJ-ML (May 08)
- Message not available
- Re: Snort missing traffic...? PJ-ML (May 08)
- Re: Snort missing traffic...? PJ-ML (May 08)
- Re: Snort missing traffic...? Rich Adamson (May 08)
- Re: Snort missing traffic...? PJ-ML (May 08)
- Message not available
- <Possible follow-ups>
- RE: Snort missing traffic...? Ponte, Paul F (May 08)