[Snort-users] Snort not seeing all traffic?
mkettler at ...4108...
Wed Apr 23 14:45:20 EDT 2003
Is the "hub" a 10/100 dual-speed hub?
what speed is the interface from the hub to router?
what speed is the interface from the hub to the switch?
what speed is the interface from the hub to eth1 on the IDS box?
If all three numbers are not the same, that's your problem. The 10/100
"auto switching" hubs are network-wise equivalent to a pair of hubs
connected by a 2-port switch (also called an ethernet bridge if you want to
get technical about it, and some of these hubs call themselves "auto
bridging" instead of "auto switching")
10mbit hub ----- switch ------- 100 mbit hub
Thus if there's mismatch in speeds (ie: the snort box is the only 100mbit
connection and the other 2 are 10mbit), it won't actually see the traffic
because of the internal switch between the two speeds.
At 03:17 PM 4/23/2003 -0400, Patrick Jones wrote:
>Red Hat 8.0
>Eth1 no address
>Router - Hub - Switch - Firewall - Internal Network
> | |
> | |
> (Eth1) |
More information about the Snort-users