[Snort-users] Is it really a HUB?

Petriz, Pablo ppetriz at ...3815...
Wed Nov 26 10:01:10 EST 2003


I want to know if someone on this list is using the Cisco 1538 Micro Hub for
snorting.

In the overview pdf of this product says:

- Autosensing on all ports allows automatic configuration for either 10BaseT
or
100BaseT connections.
- Built-in high-speed bridge function automatically connects 10BaseT and
100BaseT
workstations without an external switch or router.
- Embedded switch supports store-and-forward switching and filtering and
forwarding
rate at full-wire speed.

So i don't know if snort will see all the traffic on it...

Thanks,

PABLO

> Date: Wed, 29 Oct 2003 15:42:00 -0500
> From: "Kristofer T. Karas" <ktk at ...10113...>
> To: snort-users at lists.sourceforge.net
> CC: Darryl Luff <dluff at ...9557...>
> Subject: Re: [Snort-users] Is it really a HUB?
> 
> Darryl Luff wrote:
> 
> > It works as you say. Except that if your station never transmits 
> > anything, the switch will not learn your MAC, and will flood all 
> > traffic addressed TO YOU out all ports.  [snip]
> 
> Thanks...
> 
> Right, that was the very thought that hit me in the head the 
> other night 
> as I pondered the issues further.  The router with the spanned port 
> talks to a small handful of other routers; the only MAC 
> addresses seen 
> coming in to the hub from that port will therefore be those 
> of the other 
> routers, all of which will make their way into the hub's MAC table.  
> Thus, within a few seconds or so, the small hub will not send 
> anything 
> to the IDS because it knows that the source and destination MACs all 
> reside on the port connected to the router's spanned port; 
> ergo, there 
> is no need to copy the packets to any of its (the hub's) other ports. 
> 
> Bugger.   I guess I need to find somebody that makes a small 4-port 
> switch where one can configure a port as a promiscuous 
> listening interface.
> 
> Kris




More information about the Snort-users mailing list