[Snort-users] Re: Snort on linux with multiple network cards

Sean C Doherty seand at ...232...
Tue Jan 23 19:20:26 EST 2001

A possible answer to your question below:

Many 10/100 hubs will set up separate domains for the 10 and 100 links and
internally manage the traffic.  On these hubs snort will only "see" traffic
in the domain it belongs to (i.e. If it has a 100/NIC it will only see the
100 traffic and vice versa.)  I have had experience with an "auto sensing"
card on a snort probe seeing different traffic (100 or 10) at different
times after a reboot and depending on what speed it settles in on when
communicating to the hub.

Sean D

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Peter Bates
> Sent: Tuesday, January 23, 2001 4:06 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Re: Snort on linux with multiple network cards
> Hello again all...
> I would like to thank everyone who helped me out
> in my hour of stupidity, and finally assisted
> with me having a working, snorting setup.
> To recap... I was being driven mad by the fact
> that two identical (Intel EtherPro100) NICs
> in a machine appeared to be totally missing any
> interesting traffic during testing on a simple
> hub-based setup under Linux (mangled RH 6.2 with 2.4 kernel)
> One NIC had a fixed IP address fully plumbed
> as a 'management' port behind our firewall
> for testing, and the other was to be just brought
> up 'addressless' in promisc. mode. as described multiple
> times in the FAQ, on this list, etc. etc.
> Testing this on a simple 4-port 10/100 hub, I had
> the snort box plumbed into 1 port, and two other
> systems having off the other remaining possible ports.
> Basically, running even a slim set of rules, snort saw
> the ftp traffic to a Windows NT box (1 of the 2) running
> at 100Mb/s, triggering the 'null' user/password rule,
> but failed to see any traffic directed to the other box,
> an aging Sparc running RH 6.x, but only at 10Mb/s...
> Now the snort box is 'in its rightful place' at a mirrored/spanned
> port listening to the traffic coming from our external link,
> I happily see the rule being triggered for either box...
> Thanks again all for their help... if anyone wants to tell me
> "Well, that's an obvious problem..." after this, I'd be interested
> to hear the explanation!
> ...
> --
> ---------------------------------------------------------------->
> Peter Bates, Systems Support Officer, Network Support Team.
> London School of Hygiene & Tropical Medicine.
> Telephone:0207-927 2124 / Fax:0207-436 5389 / Pager: 07625 255362
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

More information about the Snort-users mailing list