[Snort-users] Sensor problem
mkettler at ...4108...
Tue Nov 9 16:50:01 EST 2004
At 05:43 PM 11/9/2004, Cesar Sanabria Pineda wrote:
>Hi, i'm having troubles detecting traffic, my network is more or less:
> | |------- LAN 1 (segment 191.168.1.x)
>INTERNET ---- GW --(1)---GW-- |-------- LAN 2 (segment 191.168.2.x)
> segement X | .
> | .
> |------- LAN N (segment 191.168.n.x)
>I mena, my sensor is between gateways.
>I put my sensor on (1) a segment x (192.x.x.x) and i would like to
>catch all traffic from every LAN (segment), but i'm not logging all
>alerts, i mean, suppously i'm on the fist segment and i ping a server
>on the DMZ i can't see the traffic neither in sniffer mode, so the
No, the question is what did you plug your sniffer into?
If the answer is that you plugged it into a switch port, unless that switch
is configured to span, you won't see traffic to machines other than
broadcast and the local machine.
This is a fundamental and intentional design feature of a switch. It's what
makes switches superior to passive hubs. Switches actually switch packets
to the proper ports, instead of blindly echoing them to every port on the
network. This makes the cross-sectional bandwidth of the network much
higher, since many ports can be talking to other ports simultaneously. On a
switch port A can send to B and port C can send to D at the same time
without collision, but D won't see the packet sent to B. And unless you're
trying to sniff a network, this isn't a problem, it's a benefit. Things go
faster, and sniffing is more difficult (security improvement)
If it's a 10/100 "dual speed" hub, odds are the device in question still
behaves more like a switch than a purely passive hub. Most of these devices
of recent manufacture are basically switches without full-duplex support
and/or smaller MAC tables.
You need to connect your sensor to a port that actually gets the traffic
you want. Solutions here include:
10mbit (only) hub: cheap, but slow
macof or other MAC table flooding software: cheap, but can cause
erratic behavior of the switch, slows down the lan to hub-style speeds, and
is not 100% reliable either. Will also cause some smarter switches to
disable the port as a security violation.
managed switch with span port: flexible, but costs a few hundred
passive tap: Very effective, highly secure, but complicated to set
up. Requires you to put 2 nics into your sniffer machine and bond the two
together so you can see all the traffic. A third interface will be needed
for management, as the others will be unable to send traffic.
More information about the Snort-users