[Snort-users] Sensor problem

Matt Kettler mkettler at ...4108...
Tue Nov 9 16:50:01 EST 2004


At 05:43 PM 11/9/2004, Cesar Sanabria Pineda wrote:
>Hi, i'm having troubles detecting traffic, my network is more or less:
>
>              DMZ
>               |               |------- LAN 1  (segment 191.168.1.x)
>INTERNET ---- GW --(1)---GW-- |-------- LAN 2 (segment 191.168.2.x)
>                  segement X   |                .
>                               |               .
>                               |------- LAN N (segment 191.168.n.x)
>
>I mena, my sensor is between gateways.
>I put my sensor on (1) a segment x (192.x.x.x) and i would like to
>catch all traffic from every LAN (segment), but i'm not logging all
>alerts, i mean, suppously i'm on the fist segment and i ping a server
>on the DMZ i can't see the traffic neither in sniffer mode, so the
>question is:

No, the question is what did you plug your sniffer into?

If the answer is that you plugged it into a switch port, unless that switch 
is configured to span, you won't see traffic to machines other than 
broadcast and the local machine.

This is a fundamental and intentional design feature of a switch. It's what 
makes switches superior to passive hubs. Switches actually switch packets 
to the proper ports, instead of blindly echoing them to every port on the 
network. This makes the cross-sectional bandwidth of the network much 
higher, since many ports can be talking to other ports simultaneously. On a 
switch port A can send to B and port C can send to D at the same time 
without collision, but D won't see the packet sent to B. And unless you're 
trying to sniff a network, this isn't a problem, it's a benefit. Things go 
faster, and sniffing is more difficult (security improvement)

If it's a 10/100 "dual speed" hub, odds are the device in question still 
behaves more like a switch than a purely passive hub. Most of these devices 
of recent manufacture are basically switches without full-duplex support 
and/or smaller MAC tables.

You need to connect your sensor to a port that actually gets the traffic 
you want. Solutions here include:

         10mbit (only) hub: cheap, but slow

         macof or other MAC table flooding software: cheap, but can cause 
erratic behavior of the switch, slows down the lan to hub-style speeds, and 
is not 100% reliable either. Will also cause some smarter switches to 
disable the port as a security violation.

         managed switch with span port: flexible, but costs a few hundred 
bucks.

         passive tap: Very effective, highly secure, but complicated to set 
up. Requires you to put 2 nics into your sniffer machine and bond the two 
together so you can see all the traffic. A third interface will be needed 
for management, as the others will be unable to send traffic.







More information about the Snort-users mailing list