Re: Install location

["Eckhardt Newger" <enewger () gmx de>]

Hi Seth Art,

Thanks a lot. Now I see clear why I nead a hub in order to replicate the
whole net traffic I want to sniff. Also thanks to directing to the
thread concerning NIC configuration.

Still there are two possibilities for setup as you mentioned:

1. DSL modem --> hub --> router

2. DSL modem --> router --> hub

where Snort is always attached to the hub, and the all workstations to
the router in 1. and to the hub in 2. Can you explain in short the pros
and cons of both installations, or do you have a link where do get more
information on that? Obviously I'll get much more logging in setup 1.,
before lot of traffic is thrown away by the router. Is it worthwhile
looking on it? Or are there other advantages?

Best regarrds

Eckhardt Newger

-----Ursprüngliche Nachricht-----
Von: Seth Art [mailto:sethart () gmail com]
Gesendet: Freitag, 14. Januar 2005 22:15
An: Eckhardt Newger
Cc: snort-users () lists sourceforge net
Betreff: Re: [Snort-users] Install location

If you only care about the traffic going to the machine that snort is
running on then you don't need a hub.  If you would like snort to be
able to see the traffic to/from all the machines on your lan you need a
hub.  A switch is *smart* enough to let traffic to host A only be seen
by host A, and traffic send to host B only to be seen by host B.
This cuts down on high load networks.  But if the interface that snort
is on is C, with a router/switch the only thing that snort will see is
traffic sent C.  A hub is "dumb" however and and sends all traffic to
all ports.  A will see traffic to/from a/b/c, B will see traffic to/from
a/b/c.  But most importantly, the snort interface C will see all traffic
sent to A, B, and C.

By default A and B will ignore the traffic sent to them but addressed to
the other hosts.  But Snort will turn on promiscuous mode which will let
C accept all of A,B, and C's traffic.

That... is why you need a hub.

As far as bridging, that is something between your router/switch and DSL
modem.  If everything is working fine now without bridging adding a hub
or using snort will not affect it at all.

Lastly.  As far as conflicts with the extra interface.. Read the thread
Multi Homed Sensor

Q. How do I configure snort to listen on eth1 but report out on eth0?
A. I have mine configure with eth0 being connected to the SPAN port (in
your case this will be a hub) which is configured just as:

# ifconfig eth0 up

so has no IP address etc. I think snort will kick it into promiscuous
mode, but if not, you can manually do it by #ifconfig eth0 promisc

snort takes a command line parameter '-i eth0' to tell it which
interface to use, and eth1 is set up "as usual", with IP address,
netmask and default gateway set. Linux is clever enough to use eth1 for
all communications.

cheers,
Jamie

Basically you still have some reading to do.  The more reading you do
the more all of this will make sense.  Good luck.

-Seth



On Fri, 14 Jan 2005 20:49:59 +0100, Eckhardt Newger <enewger () gmx de>
wrote:
> Hi Seth Art,
>
> Thanks for your reply. So it seems feasible to use an existing
> workstation for a snort installation. Fine.
>
> All my traffic is handled by a D-Link 614+: it acts as switch for my
> LAN clients, as AP for wireless LAN clients, and as router to connect
> to the Internet via a separate DSL modem. So do you see any need to
> additionally install a hub? Network traffic is moderate, so
> performance considerations don't have to be taken into account here.
>
> I*ve read somewhere that I might be obliged to do port brigding when
> using a switch. I must confess that I'm totally unclear about this.
>
> Finally, should I give Snort an Ethernet card on ist own to connect to

> the LAN, and, if so, how to avoid conflicts with the already installed

> Ethernet card used by the workstation for its normal network traffic?
>
> Any further hints are higly welcome.
>
> Best regards
>
> Eckhardt Newger
-- 
Eingehende E-Mail ist virenfrei.
Überprüft durch AVG Antivirensystem.
Version: 7.0.302 / Virendatenbank: 265.6.11 - Ausgabedatum: 12.01.2005


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users