[Snort-users] RES: A Couple of Questions [Snort-users]

Romulo M. Cholewa rmc at ...8111...
Fri Jan 31 21:45:01 EST 2003

A reminder:

If you have a switched network, you can always look into the switch
management software or statistics. Most of the time they come with a CRC
error count per port. That would give away a faulty NIC or cable.

If you are trying to get warned about these kind of problems, you also
have the option of using snmp traps. Most managed switches can be
configured to send traps if they encounter a bad frame error / crc
error, or if the error count is higher than a preconfigured threshold.

But your question reminds me of a time when I was able to use LANalyzer

Romulo M. Cholewa
Home : http://www.rmc.eti.br
Forum: http://zeus.rmc.eti.br/forum
PGP Keys Available @ website.

]-----Mensagem original-----
]De: Lars Borland [mailto:lborland at ...8173...] 
]Enviada em: sexta-feira, 31 de janeiro de 2003 18:42
]Para: twig les; Morgan R. Elmore; snort-users at lists.sourceforge.net
]Assunto: RE: A Couple of Questions
]There is software like WildPacket's EtherPeek that is able to 
]detect "error packets".  I imagine a failing NIC would 
]generate lots and therefore give itself away.  I understand 
]what Eli is saying regarding this but, depending on the 
]errors, I'd think some of them would make it to the IP layer.  
]I also just read this off the WildPackets/EtherPeek site and I 
]think I may be wasting my time with this...  "Error Packet 
]Capture:  EtherPeek has the ability to capture error packets 
]on the network. These errors
]include: Runt, Oversize, Frame Alignment, and CRC. Most 
]adapters on the market discard error packets automatically. To 
]capture errors, you must use one of the supported error 
]capture cards with a special WildPackets driver installed."  
]If most modern NICs discard error packets then there's neither 
]any harm done nor will any error packets be seen by Snort 
]prior to being discarded (without the spiffy/castrated NIC and 
]WildPackets Drivers(TM) that is).  Thanks for bearing with me 
]regarding this.
]Talk to you all later, Lars.
]-----Original Message-----
]From: twig les [mailto:twigles at ...131...] 
]Sent: Friday, January 31, 2003 11:50 AM
]To: Lars Borland; Morgan R. Elmore; snort-users at lists.sourceforge.net
]Subject: RE: [Snort-users] A Couple of Questions
]I have caught an errant NIC before (bad driver) using
]the eval of sniffer pro.  All I noticed was that one 
]workstation was blabbing ten times more than the others and 
]the lady sitting at the station was in finance and had no idea 
]what a driver was.
]As for Snort detecting this, the NIC would have to
]break a rule and send bad packets like same
]source/dest or something.  I have seen our glorious
]firewall vendor do this many times, and when
]tcpdumping the packets to see wth is going on the
]packets had bad checksums and were being dropped at
]the switch interface.  
]This SF.NET email is sponsored by:
]SourceForge Enterprise Edition + IBM + LinuxWorld =omething 2 
]See! http://www.vasoftware.com 
]Snort-users mailing list
]Snort-users at lists.sourceforge.net
]Go to this URL to change user options or unsubscribe: 
]Snort-users list archive: 

More information about the Snort-users mailing list