Snort mailing list archives
Re: Sensor problem
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 09 Nov 2004 19:47:13 -0500
At 05:43 PM 11/9/2004, Cesar Sanabria Pineda wrote:
Hi, i'm having troubles detecting traffic, my network is more or less: DMZ | |------- LAN 1 (segment 191.168.1.x) INTERNET ---- GW --(1)---GW-- |-------- LAN 2 (segment 191.168.2.x) segement X | . | . |------- LAN N (segment 191.168.n.x) I mena, my sensor is between gateways. I put my sensor on (1) a segment x (192.x.x.x) and i would like to catch all traffic from every LAN (segment), but i'm not logging all alerts, i mean, suppously i'm on the fist segment and i ping a server on the DMZ i can't see the traffic neither in sniffer mode, so the question is:
No, the question is what did you plug your sniffer into?If the answer is that you plugged it into a switch port, unless that switch is configured to span, you won't see traffic to machines other than broadcast and the local machine.
This is a fundamental and intentional design feature of a switch. It's what makes switches superior to passive hubs. Switches actually switch packets to the proper ports, instead of blindly echoing them to every port on the network. This makes the cross-sectional bandwidth of the network much higher, since many ports can be talking to other ports simultaneously. On a switch port A can send to B and port C can send to D at the same time without collision, but D won't see the packet sent to B. And unless you're trying to sniff a network, this isn't a problem, it's a benefit. Things go faster, and sniffing is more difficult (security improvement)
If it's a 10/100 "dual speed" hub, odds are the device in question still behaves more like a switch than a purely passive hub. Most of these devices of recent manufacture are basically switches without full-duplex support and/or smaller MAC tables.
You need to connect your sensor to a port that actually gets the traffic you want. Solutions here include:
10mbit (only) hub: cheap, but slowmacof or other MAC table flooding software: cheap, but can cause erratic behavior of the switch, slows down the lan to hub-style speeds, and is not 100% reliable either. Will also cause some smarter switches to disable the port as a security violation.
managed switch with span port: flexible, but costs a few hundred bucks.
passive tap: Very effective, highly secure, but complicated to set up. Requires you to put 2 nics into your sniffer machine and bond the two together so you can see all the traffic. A third interface will be needed for management, as the others will be unable to send traffic.
------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sensor problem Cesar Sanabria Pineda (Nov 09)
- Re: Sensor problem Matt Kettler (Nov 09)