[Snort-users] Creating a 'read-only' 100/10BaseT ethernet cable
wlmarque at ...8...
Thu Jan 4 11:59:25 EST 2001
The problem is that neither the card nor the hub will detect carrier if some of
the cables are "snipped". You probably want some type of ethernet tap device to
do this; at least on 100Mbit equipment...older 10Mbit equipment can sometimes
support this setup I understand. In theory you could "fake" the carrier signal,
but in the long run it's easier, cheaper, and more reliable to purchase a
commercial ethernet tap.
From: "Ed Padin" <ohdamnthathurts at ...131...> on 01/04/2001 10:22 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Creating a 'read-only' 100/10BaseT ethernet cable
I've been trying to create a patch cable for a snort box that is a
'read-only cable. I remember people on this list mentioning something about
this but could nto turn up anything on the archives. I know that you can run
snort on an interface that has no IP address but I'd also like to provide
physical security to guard against a configuration error.
I think I remember that you need to complete only one of the pairs in order
to read packets but the other pair to write packets is not used. Here's what
I tried so far:
Create a cable where only pair 1&2 are used
Create a cable where only pair 3&6 are used
Create a cable where only pair 1&2 are used and 3&6 looped back to the hub
Create a cable where only pair 3&6 are used and 1&2 looped back to the hub
I'm trying this on a hub that does 100Mbit ethernet and supports full
duplex. The card I am using usually negotiates a full duplex connection. I
have tried rebooting the box with each config mentioned above.
Has anybody got this working? If so, could you describe your configuration?
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
More information about the Snort-users