[Snort-users] Snort and Promiscuos Mode
francois at ...1754...
Tue Oct 9 10:26:11 EDT 2001
Tue, 09 Oct 2001 12:40:16 -0400
"Frontgate Lab" <mdiwan at ...200...> wrote:
> Hello everyone.. Just a few quick questions about Snort
> and Promiscuous mode on an Ethernet NIC.
> What are the consequenses of NOT enableing Promiscuos mode on the NIC
> and still running snort on it?
You won't see traffic with MAC addresses that aren't the one running Snort.
> IE what Situations would I be able to see traffic that is pertinent and
> in what situations would i not see something i should be watching out
You'll mostly be blind.
> Most often the environment that Snort runs in
> is Switched sometimes these swithches are Vlan-ed, sometimes the switch
> is flat.
> It is unusual that the switch mirrors all its traffic to one switch
> port..but i can set up environments where this is possible.. what is the
> best approach for Snort IDS?
I like to put it on a hub between the external router and the switch. It
is also possible to setup a monitor port on some switches. This is good too.
> Does running IDS on a switched port without promiscuos mode have any
> advantages for me
> if the IDS is running on a firewall ?
IMHO, the NIDS should never be run on a firewall : you must ban out for your
firewalls every applications that could make it fail or grab its resources,
which in fact Snort can easily do. An NIDS should be a dedicated system.
> One of the problems with promiscous mode in some of my environments is
> that it seems to suck packets away from thier intended targets,
> especially in UDp environs.. has anyone else experienced this?
Promiscuous mode is purely passive : it doesn't << eat >> anything. The
frame is transmitted through the entire network, eventually filtered by
switches, and the NIC just catch the signal, but instead of ignoring it
because it's not its MAC address, it forwards it up to the IP layer.
> Are there any drawbacks to running snort on an interface without an
> IP?.. ie could i still put it into promiscuous mode if i had to and why
> would i want to do that?
Works fine and it's much better IMHO. You can also setup a RO cable,
but be aware that some switches and hubs 10/100 Mbit/s need to get
traffic to setup correctly the link.
> Please forgive some of the above redundency in language i simply want to
> explain my questions as clearly as possible.
> Thank you for any input to this topic.
More information about the Snort-users