[Snort-users] Snort missing traffic...?

PJ-ML p.jones.ml at ...8985...
Thu May 8 08:36:10 EDT 2003


Thanks for that insight...I am thinking along the same lines that the hub, 
Linksys Etherfast Workgroup Hub, is acting like a switch...it does see some 
traffic but not all...very strange. Has anyone else seen something like this?

Here some more info that occurred to me.  It(IDS) will see traffic to 
itself and other servers that are not behind the firewall...it misses 
traffic that is destined for the IP addresses that are being protected by 
the firewall...

Router (10.25.1.1) - - - Hub - - - FTP(10.25.1.6)
                         |
                         |- - - IDS(10.25.1.3)
                         |
                         firewall(10.25.1.2, 10.25.1.5, 10.25.1.7)

With that diagram, I see traffic and exploits that are for the IDS and FTP 
and not any IPs on the firewall...

~PJ




At 11:49 AM 5/8/2003, Rich Adamson wrote:
>Sounds like the hub is really a switch. Since you didn't mention what type
>of device it is, I'll mention what we've seen as network consultants that
>do this type of work all the time.  We happen to use a NetGear 4 port hub,
>but have noticed (for this model only) that if one port is 10 meg and
>another is 100 meg, it acts as a switch instead.
>
>We also have an older 3Com 10/100 24-port hub that does the same thing.
>
>Try running snort in sniffer mode from the command line, like...
>  snort -v -n 30
>and look at the packets to see if the server's address appears. If you
>see the server sending broadcast packets, your hub is probably acting
>as a switch. If you don't see the server at all (you can ping it from
>another machine) then there is some other problem.
>
> >   I ran some exploits on the snort server and acid reported them. I ran 
> the
> > same exploits on a server in the same sub-net and acid does not report any
> > of this. I looked at the alert file in /var/log/snort and nothing 
> regarding
> > the exploits run against the other server are there. I am confused. I
> > specified my HOME_NET, for example 10.25.1.0/24... The snort server is
> > 10.24.1.24 and the server I also ran exploits on is 10.25.1.20.
> >
> > The ethernet link to hub and to other parts of the network are all 100
> > base. Could it be the speed of the server? Not sure where to go, I know
> > that I must tune the server, but I do not know what to tune if it is not
> > seeing even purposeful exploits...I will be more than happy  to give any
> > more info that anyone requires to help me figure this out...except 
> for  the
> > root password to my machine ;-)





More information about the Snort-users mailing list