[Snort-users] stealth mode and openbsd 3.3
procana at ...4296...
Sat May 24 03:39:06 EDT 2003
You mentioned that both interfaces are plugged into the same
*hub*. However, both interfaces are listed as operating full-duplex.
Is this a hub or a switch? A hub does not support full-duplex connections
(shared bandwidth etc. etc. etc. :) ).
If this is a switch (not a hub), sis0 would not be able to 'see' the data
unless you mirror to its port.
If you have not already done this, try running tcpdump -nXi sis0 or snort
-vdei sis0 when you run the tests.
Is sis0 able to 'see' the data?
My guess is that this is a switch and you are running the test attacks
through rl0. If this is true, that explains why snort will
generate the alerts when listening on rl0 and not sis0. If this is
correct, mirroring to sis0's port will resolve this issue.
Hope this helps,
More information about the Snort-users