[Snort-users] stealth mode and openbsd 3.3

MH procana at ...4296...
Sat May 24 03:39:06 EDT 2003

Hi Bert,

You mentioned that both interfaces are plugged into the same 
*hub*.  However, both interfaces are listed as operating full-duplex.
Is this a hub or a switch?  A hub does not support full-duplex connections 
(shared bandwidth etc. etc. etc. :) ).
If this is a switch (not a hub), sis0 would not be able to 'see' the data 
unless you mirror to its port.

If you have not already done this, try running tcpdump -nXi sis0  or snort 
-vdei sis0 when you run the tests.
Is sis0 able to 'see' the data?

My guess is that this is a switch and you are running the test attacks 
through rl0.  If this is true, that explains why snort will
generate the alerts when listening on rl0 and not sis0.  If this is 
correct, mirroring to sis0's port will resolve this issue.

Hope this helps,

More information about the Snort-users mailing list