Question on Snort

Yohhan · May 3, 2004

I have a question about the promiscuous mode of Snort.

By default, Snort says it operates in "promiscuous mode". As far as I can tell, this means it picks up packets on the line not destined for it. So here's my question...

I have three computers on my home network, all behind the same hub. If machine A is running Snort, and machine B pings machine C, why doesn't Snort on A see this? A sees the ARP request which is broadcasted, and that is all. It seems like it should be able to see any activity that's occurring on the same network, not just broadcasts and packets destined for it.

If it's not able/supposed to do that, then what is the difference between having Snort in promiscuous mode and not?

Thanks ahead.

AFB · May 3, 2004

Are you sure it's a hub ?

Boscoh · May 3, 2004

You're on a hub or a switch?

If it's on a hub then I can't see why it wouldn't get the traffic. A hub copies everything to everyone on the hub.

If you're on a switch, you need to setup the port than Snort is plugged into as a SPAN port (or Port Mirroring, as some vendors call it). Switches wont copy the packet to everyone unless it's a broadcast.

Promiscuous mode picks up everything on the line, not just stuff addressed to the system. If you're on a switch, the ping from B to C wont be on the line to A so you wont see it. However, the ARP is a broadcast, which explains why you're seeing it.

Yohhan · May 3, 2004

Edit: Oops, didn't refresh the browser.

It's the Linksys "EFAH05W" Hub. I have it uplinked into my BEFSR41 Linksys router. All machines are behind the hub.

If it's on a hub then I can't see why it wouldn't get the traffic. A hub copies everything to everyone on the hub.

That's where I'm confused.

How do I set Snort up on a SPAN port?

Boscoh · May 3, 2004

You wouldn't have a SPAN port on a hub...those are only needed on switches.

Is it only ICMP traffic that you cant see? Have you tried web browsing and stuff?

Are you sure Snort is configured correctly?

Yohhan · May 4, 2004

I mean if I did have a switch -- How would I configure the SPAN port?

Can't see anything other than ARP requests. I tried browsing the web, but nothing showed up on Snort. As far as I know, Snort is configured correctly. I downloaded it, compiled on Fedora with the default configuration, and ran it with the command snort -v -v.

n0cmonkey · May 4, 2004

How are you monitoring snort? Are you actively trying to trigger rules? Browsing for root.exe or cmd.exe is a good way to test it.

Yohhan · May 4, 2004

I'm new to snort and haven't gotten into the rules part yet, so I don't think I'm actively trying to trigger any. I'm not exactly sure how to browse for root.exe or cmd.exe either.

After installation, I just run it using snort -v -v, or snort -l /var/log/snort, and watch the screen and/or check the log files.

n0cmonkey · May 4, 2004

http://www.somewebsite-it-doesnt-really-matter-which.com/root.exe

It's kind of a rude thing to do, so if you have an internal webserver setup, hit that instead. root.exe and cmd.exe trigger code red (code red v2, cmd.exe alarms I think) alarms.

mboy · May 4, 2004

My guess is your hub is really a switch. You need a Managed or Layer 3 switch to do Port spanning. No can do on a Layer 2 or soho type switch.

Boscoh · May 4, 2004

Originally posted by: mboy
My guess is your hub is really a switch. You need a Managed or Layer 3 switch to do Port spanning. No can do on a Layer 2 or soho type switch.

Since when can you not do SPAN or port mirroring on a Layer 2 switch? I have about 10 L2 switches that I can do this on, from Dell and Cisco....

Yohan,

My best guess would be that you dont have Snort setup correctly. Have you tried another program that sniffs packets like Ethereal?

Yohhan · May 4, 2004

n0cmonkey:
My apologies for the ignorance here, but...

When you say hit http://somesite.com/root.exe, do you mean from the computer running snort? I'm running Apache on another machine. So I get Snort going with the following command: snort -A full -v, and then I try to reach http://internal-apache-server/root.exe on the apache server? If that's what I was supposed to do, it didn't turn up anything. Or I'm doing it wrong. I'm not really sure what a snort alert looks like, but I couldn't find anything of interest in the log files or in the console.

mboy:
It says 5 port Hub on the front. It cost $10 -- I didn't think switches came that cheap.

Boscoh:
I haven't tried Ethereal, but I did try another packet sniffer that didn't work either. I'm trying to remember the name, I'll have to go back and look.

n0cmonkey · May 4, 2004

Yeah, that's basically what I meant. See an IDS is supposed to listen to traffic and generate alarms based on the traffic it sees. Snort looks at a stream of packets, compares it to known signatures, and creates alarms. If you feed it a known signature, root.exe, and it does not set off alarms, you have something misconfigured.

You have a recent version of the rules downloaded and correctly configured in the snort.conf?

Yohhan · May 5, 2004

I'm going to assume that I don't -- I didn't touch snort.conf or setup any sort of rules when I installed it. I'll have to look into that and get it figured out. I hadn't been using snort as a IDS up to this point, just as a packet sniffer.

This would prevent me from seeing traffic on the network though?

Edit: Just tried Ethereal and it doesn't seem to be working either

I'm going to email Linksys to ask about this hub.

n0cmonkey · May 5, 2004

I've never used snort as a packet sniffer.

I've always used ethereal or tcpdump.

Yohhan · May 5, 2004

Yeah, something doesn't seem right here. I need to play around with this a bit more. Thanks for the pointers.

Yohhan · May 6, 2004

By any chance could it be the network card?

n0cmonkey · May 6, 2004

Originally posted by: Yohhan
By any chance could it be the network card?

I guess so, but doubtful. If you run tcpdump on the interface does it pick up traffic? If so, it's not the NIC. If it doesn't, then you have problems somewhere.

Yohhan · May 7, 2004

It picks up traffic, just not all traffic. Only traffic directed to the machine. I tried doing the following:

ifconfig eth0 promisc

to put the card in promiscuous mode. Running ifconfig eth0 showed the card as being in promiscuous mode. It didn't change anything. I've tried Snort, Ethereal, and tcpdump. Same results. I only see traffic directed at the machine. Tried various programs on my windows machine including Snort, Ethereal, and Windump. No change -- I'm not sure how to explicitly put a card into promiscuous mode on windows though. It looks like I might be stuck on this one.

n0cmonkey · May 7, 2004

Originally posted by: Yohhan
It picks up traffic, just not all traffic. Only traffic directed to the machine. I tried doing the following:

ifconfig eth0 promisc

to put the card in promiscuous mode. Running ifconfig eth0 showed the card as being in promiscuous mode. It didn't change anything. I've tried Snort, Ethereal, and tcpdump. Same results. I only see traffic directed at the machine. Tried various programs on my windows machine including Snort, Ethereal, and Windump. No change -- I'm not sure how to explicitly put a card into promiscuous mode on windows though. It looks like I might be stuck on this one.

It really sounds like it isn't a hub.

If you're anything like me, you have a dozen NICs lying around. Maybe try another one to see if that helps...

Yohhan · May 7, 2004

Maybe. I did email Linksys about it. It does say "5 Port Hub" right on the front though, and it cost me 10 bucks. So if it doesn't behave like a hub, I'd be really surprised. Especially since Linksys has a page on their support website detailing the differences between hubs and switches. But if they email me back and tell me it's a switch, at least I won't feel insane.

I have some NICs lying around that I'll try. I'm working off of three different computers though, and none of them appear to be sniffing properly. Maybe I'll pick up a new hub tomorrow and see if that changes anything.

EDIT: One more question. Does it make a difference if it's a 10/100 autosensing hub?

n0cmonkey · May 7, 2004

I actually haven't seen a 10/100 hub at most stores. All the ones I see are just 10mbit...

mboy · May 7, 2004

Originally posted by: Boscoh

Originally posted by: mboy
My guess is your hub is really a switch. You need a Managed or Layer 3 switch to do Port spanning. No can do on a Layer 2 or soho type switch.

Click to expand...

Since when can you not do SPAN or port mirroring on a Layer 2 switch? I have about 10 L2 switches that I can do this on, from Dell and Cisco....

Yohan,

My best guess would be that you dont have Snort setup correctly. Have you tried another program that sniffs packets like Ethereal?

Yeah I meant to say most soho type L2 switches, no all of them.

Anyway, I still stick by the hub is really a switch. Find a cheapie 10mb hub (you will know as it will have collision lights onit, and try that.

Question on Snort

Senior member

Lifer

Senior member

Senior member

Senior member

Senior member

Elite Member

Senior member

Elite Member

Diamond Member

Senior member

Senior member

Elite Member

Senior member

Elite Member

Senior member

Senior member

Elite Member

Senior member

Elite Member

Senior member

Elite Member

Diamond Member