[Snort-users] Help with Hub and Router setup

SecurityGauntlet securitygauntlet at ...3130...
Fri Oct 26 18:28:02 EDT 2001

Well, let's see. The linksys router has the capability to put a machine 
Link a snort box as a DMZ host. Plug the Snort box into the Router direct. 
Set up the router with DMZ hosting. Make the DMZ machine stealth (use the 
cable mod on the Snort sites).

The router does the connection authentication for your cable drop. This 
needs to be the ONLY NIC viewable ( machine which has viability or can be 
see on your perimeter) from the cable company. Make sure you use the MAC 
spoofing ( set the MAC address spoofing of the registered computer) to 
address the cable companies requirement for authentication. Make sure you 
are NATing all inside addresses. You can start the Linux ether card without 
an IP address.


At 03:21 PM 10/26/2001 +0200, coen.bongers at ...2897... wrote:
>"tommy", wrote:
>      Hello.  ;0)
>      I need some help.  I have a cable connection that in hooked into my 
> 4 port
>      LinkSys Router.  From there I have a hub plugged into my LinkSys 
> router with
>      my snort box in it in the DMZ.  I want to change this setup.  What I 
> want to
>      do is, have my cable connection go into my Hub, then from there plug 
> into my
>      router.  So I can then put my Snort box on the hub with no IP 
> address (im
>      running snort 1.8 on Mandrake).  I tried doing this but it didnt 
> work.  On my
>      router it has a WAN connection and an uplink?  Do I need a cross 
> over cable
>      or something?  Also, how would I plug it in the ports?  From the hub 
> to the
>      WAn port on my LinkSys?  Thanks in advance.
>I have a comparable situation at home....
>but before I explain, I have a question:
>While youre snort box is in your DMZ, won't it miss all the outbound 
>traffic and all the inbound traffic for wich you have port-forwarders 
>defined in the linksys?  Since the linksys has an integrated switch, and 
>it onlys sends packets to the DMZ for wich
>it has no other destination. For instance, my port 25 and 110 connections 
>go to my internal mailserver.
>Guess, this is exactly the reason why you want the snort box to be in 
>front of the router, not?
>great router by the way!!! (for its price that is..)
>Let me sum up what I have;
>Internet -> Cable modem -> Straight UTP cable to the hub's 
>uplink(crossed)port -> Straight cable to WAN port on linksys (X or MX 
>switch on the port, I don't remember, guess it is crossed) -> straight 
>cables to Internal network equipement, and the aktive
>(management) interface on the snort box.
>Wether a cable needs to be straight or cross, is easily determined, just 
>get both and try..... Link light on means you have the right cable...
>Also from the hub is a second cable going to the Promisc. interface of the 
>snort box. Thus enabling it to see al the traffic flowing from the cable 
>modem to your linksys and visa-versa.
>I defined a port forward (of a port number only known to me) to forward 
>from the internet to the internal interface of the snort-box, wich runs 
>also ACID, so I can see my snort logs from the inside and the outside. (I 
>know that this might not as secure as
>I want, but this is just the way it is for now)
>Only problem I still have is that from the session of other systems in my 
>subnet/cable segment I only see the responses, and not the requests. As I 
>understand, this is because the receive channel and the send channel of 
>the cable modem are in a different
>frequency, and my modems receive channel does not see other modems send 
>Anybody has an idea on how tho overcome this issue? Can a Com21 Cable 
>modem be told to also receive on the other modems send frequency?? Anybody?
>Anyway good luck and have fun!!
>P.S> I'm also rather new at this, so if anybody sees an blatant error in 
>my explanation, please let me know...
>Coen Bongers
>Network Coordinator
>Dept. InfraStructure.
>If anything else fails, read the instructions....
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

Wayne T Work
Manager of Information Systems Security
Cybergnostic.net, Inc
(O) 203.331.4417
(C) 203.217.5004
<http://wwork@...3179.../>wwork at ...3550...<http://wwork@...3179.../>com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011026/d3adf39d/attachment.html>

More information about the Snort-users mailing list