[Snort-users] Help with Hub and Router setup

coen.bongers at ...2897... coen.bongers at ...2897...
Fri Oct 26 11:02:09 EDT 2001

"tommy", wrote:

     Hello.  ;0)

     I need some help.  I have a cable connection that in hooked into my 4 port
     LinkSys Router.  From there I have a hub plugged into my LinkSys router with
     my snort box in it in the DMZ.  I want to change this setup.  What I want to
     do is, have my cable connection go into my Hub, then from there plug into my
     router.  So I can then put my Snort box on the hub with no IP address (im
     running snort 1.8 on Mandrake).  I tried doing this but it didnt work.  On my
     router it has a WAN connection and an uplink?  Do I need a cross over cable
     or something?  Also, how would I plug it in the ports?  From the hub to the
     WAn port on my LinkSys?  Thanks in advance.

I have a comparable situation at home....

but before I explain, I have a question:

While youre snort box is in your DMZ, won't it miss all the outbound traffic and all the inbound traffic for wich you have port-forwarders defined in the linksys?  Since the linksys has an integrated switch, and it onlys sends packets to the DMZ for wich
it has no other destination. For instance, my port 25 and 110 connections go to my internal mailserver.

Guess, this is exactly the reason why you want the snort box to be in front of the router, not?

great router by the way!!! (for its price that is..)

Let me sum up what I have;

Internet -> Cable modem -> Straight UTP cable to the hub's uplink(crossed)port -> Straight cable to WAN port on linksys (X or MX switch on the port, I don't remember, guess it is crossed) -> straight cables to Internal network equipement, and the aktive
(management) interface on the snort box.

Wether a cable needs to be straight or cross, is easily determined, just get both and try..... Link light on means you have the right cable...

Also from the hub is a second cable going to the Promisc. interface of the snort box. Thus enabling it to see al the traffic flowing from the cable modem to your linksys and visa-versa.

I defined a port forward (of a port number only known to me) to forward from the internet to the internal interface of the snort-box, wich runs also ACID, so I can see my snort logs from the inside and the outside. (I know that this might not as secure as
I want, but this is just the way it is for now)

Only problem I still have is that from the session of other systems in my subnet/cable segment I only see the responses, and not the requests. As I understand, this is because the receive channel and the send channel of the cable modem are in a different
frequency, and my modems receive channel does not see other modems send channels..

Anybody has an idea on how tho overcome this issue? Can a Com21 Cable modem be told to also receive on the other modems send frequency?? Anybody?

Anyway good luck and have fun!!

P.S> I'm also rather new at this, so if anybody sees an blatant error in my explanation, please let me know...

Coen Bongers
Network Coordinator
Dept. InfraStructure.
If anything else fails, read the instructions....

More information about the Snort-users mailing list