[Snort-users] A Couple of Questions

twig les twigles at ...131...
Fri Jan 31 11:51:02 EST 2003


I have caught an errant NIC before (bad driver) using
the eval of sniffer pro.  All I noticed was that one
workstation was blabbing ten times more than the
others and the lady sitting at the station was in
finance and had no idea what a driver was.

As for Snort detecting this, the NIC would have to
break a rule and send bad packets like same
source/dest or something.  I have seen our glorious
firewall vendor do this many times, and when
tcpdumping the packets to see wth is going on the
packets had bad checksums and were being dropped at
the switch interface.  

> 
> Does anyone have an answer to my 2nd question?
> 
> Has anyone written a rule for, or been able to use
> Snort to detect signs
> of a failing NIC?  I don't know the terminology
> off-hand but a dying NIC
> may start to "yell" at the network, causing the
> surrounding NICs to
> spend a lot of time dropping packets not
> specifically destined for them
> (they still have to look at the packets to know to
> drop them).  The NIC
> on the offending machine still appears to work
> somewhat but performance
> on the machine is very poor.  Also, the surrounding
> network (whatever is
> in the same collision domain) will suffer.  Incoming
> tech calls will be
> something like "Are things running kind of slow
> today?".  I've dealt
> with this sort of thing in the past and have luckily
> come across the
> failing NIC by chance.  I'd like to be able to
> pinpoint this sort of
> thing more easily using Snort if at all possible. 
> Please let me know if
> you're aware of any such rule.
> 
> Thanks again, Lars.
> 
> 
> -----Original Message-----
> From: Morgan R. Elmore
> Sent: Thursday, January 30, 2003 3:20 PM
> To: Lars Borland; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] A Couple of Questions
> 
> 
> Lars,
> 
> It sounds to me like some bogus sensor information
> was placed into the
> db while your sensor was messed up.  I'm assuming
> that you are using
> MySQL?  I'm going off of the top of my head, so
> these commands might not
> be entirely accurate...
> Log into MySQL from a command prompt (DOS box):
>     mysql -u (username) -p
>     type in the password
>     connect db (db=database name, should be snort or
> something like it)
>     select * from sensor;    (don't forget the
> semicolon at the end of
> the line)
>     you should see 4 separate sensors....
>     delete from sensor where sid=(the sid of the
> bogus sensor)
> 
> After that, ACID should only show one sensor.
> 
> 
>
-------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld =
> Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com




More information about the Snort-users mailing list