Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sensor problem

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 09 Nov 2004 19:47:13 -0500
At 05:43 PM 11/9/2004, Cesar Sanabria Pineda wrote:

Hi, i'm having troubles detecting traffic, my network is more or less:

             DMZ
              |               |------- LAN 1  (segment 191.168.1.x)
INTERNET ---- GW --(1)---GW-- |-------- LAN 2 (segment 191.168.2.x)
                 segement X   |                .
                              |               .
                              |------- LAN N (segment 191.168.n.x)

I mena, my sensor is between gateways.
I put my sensor on (1) a segment x (192.x.x.x) and i would like to
catch all traffic from every LAN (segment), but i'm not logging all
alerts, i mean, suppously i'm on the fist segment and i ping a server
on the DMZ i can't see the traffic neither in sniffer mode, so the
question is:


No, the question is what did you plug your sniffer into?
If the answer is that you plugged it into a switch port, unless that switch is configured to span, you won't see traffic to machines other than broadcast and the local machine.
This is a fundamental and intentional design feature of a switch. It's what makes switches superior to passive hubs. Switches actually switch packets to the proper ports, instead of blindly echoing them to every port on the network. This makes the cross-sectional bandwidth of the network much higher, since many ports can be talking to other ports simultaneously. On a switch port A can send to B and port C can send to D at the same time without collision, but D won't see the packet sent to B. And unless you're trying to sniff a network, this isn't a problem, it's a benefit. Things go faster, and sniffing is more difficult (security improvement)
If it's a 10/100 "dual speed" hub, odds are the device in question still behaves more like a switch than a purely passive hub. Most of these devices of recent manufacture are basically switches without full-duplex support and/or smaller MAC tables.
You need to connect your sensor to a port that actually gets the traffic you want. Solutions here include: 

        10mbit (only) hub: cheap, but slow
macof or other MAC table flooding software: cheap, but can cause erratic behavior of the switch, slows down the lan to hub-style speeds, and is not 100% reliable either. Will also cause some smarter switches to disable the port as a security violation.
managed switch with span port: flexible, but costs a few hundred bucks.
passive tap: Very effective, highly secure, but complicated to set up. Requires you to put 2 nics into your sniffer machine and bond the two together so you can see all the traffic. A third interface will be needed for management, as the others will be unable to send traffic. 





-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: