[Snort-users] strange promiscous mode behavior

Chris Grout cgrout at ...3649...
Thu Jan 31 23:48:02 EST 2002


Check what speed all external interfaces have negotiated too.  Keep in
mind that many 10/100 hubs actually will switch traffic between the 10
mbit devices and the ones at 100.  I'm not a netgear guru, but I know
this is the case with the "smarter" 10/100 hubs.  Obviously to rememdy
this, just hard code everything to one speed.

-Chris

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Ben Keepper
Sent: Thursday, January 31, 2002 10:04 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] strange promiscous mode behavior


I am having a fit trying to figure this one out.

2 Demarc/Snort sensors.  One has three NICs with one NIC to a hub
between the router and firewall, one to a hub in the DMZ, and one to the
inside network as a management interface.  All this data goes to a
dual-homed box that has one interface snorting on the inside network,
and the other interface being the main SID/MYSQL/DEMARC NIC for the
whole network.

The box that is monitoring the DMZ and outside network is using the same
dual Intel NIC to watch these segments.  The DMZ interface is working
perfectly, but the interface on the outside network refuses to see
packets.  A tcpdump reveals the arps, but no real data.  Even giving the
NIC an IP address within the external IP address range of the firewall
and then in promisc mode reveals no data unless the packets are directed
at that specific IP.

The hub (Netgear DS-16) in the DMZ and the external net are identical,
so I don't think its the hub, and, like I said this is a dual port card,
with one port perfectly content, and the other not seeing anything.

What gives?

Shouldn't I be able to see any data between the router and firewall with
a tcpdump?

TIA,

Ben


Ben Keepper
Security Engineer

"I like to play with things awhile... before annilation" -Emperor Ming
the Merciless


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users





More information about the Snort-users mailing list