I want to monitor traffic outside my firewall with a dedicated Snort box. My firewall is a Linux box running IPTABLES. I have this setup:


INTERNET
|
|
CABLE MODEM
|
|
10/100HUB-----FIREWALL/NAT BOX-----LAN
|
|
SNORT BOX
(eth0 stealth)

Snort configuration:

1.) eth0 is brought-up in stealth mode (no ip)
2.) var HOME_NET <IP of the firewall/NAT box (assigned by ISP dhcp)>
3.) var EXTERNAL_NET $!HOME_NET

Snort is started in IDS mode by doing:

#snort -D -i eth0 -p -c /etc/snort/snort.conf

PROBLEM:

1.) In packet dump mode, I can only see broadcast traffic...just ARP requests on the other side of the cable modem and nothing else

2.) In IDS mode, nothing gets logged, nothing is triggered (probably because snort is only seeing broadcast traffic).

QUESTION:

1.) I'm guessing that the problem is with my dual speed hub (10/100). If I replace the 10/100 hub with a single-speed 10mbps hub, will it correct the problem?

2.) Has anyone had success with a similar setup? If so, care to explain how you did it?

Thanks in advance.

i don't think it's the fact the hub is dual speed, but if it not really a hub, and it's a switch (a ot of new "hubs" using switching technology) you won't see anything.

Your "hub" is really a "switch". Hubs are shared media, switches have dedicated bandwidth. On a hub, all devices see all traffic because it's sent to every port. On a switch traffic is sent directly to the port that has the MAC address which should receive it.

If you want to be able to sniff traffic of all the devices plugged into your network, you will need a hub instead of a switch (the speed is irrelevant, but for performance you should get 100Mbs). Alternatively, many enterprise-grade switches have what's known as a "spanning" port, that is a port which either receives all traffic (just like with a hub) or it can be configured to receive traffic for specific ports. In any case, these are usually expensive but you might be able to find a used one on eBay or at a local used computer shop.

Thanks for the responses.

I checked the manufacturer specs on my SMC 5605DS 10/100 EZHub, and although it is indeed marketed as a "hub", it also has these features:

I don't know whether to be upset because I purchased a hub but got a switch, or to be happy because I purchased a hub and got a switch!!?????

I guess I just answered my question. I replaced my SMC 10/100 "hub" (actually a switched hub), with a cheapo Netgear 10baseT hub and now Snort is working perfectly.

Thanks to chort for pointing that out!

PS: A word of caution to all those out there wanting to attempt this project:

-Be cautious of hubs that are marketed as "hubs". My first "hub" was a SMC 10/100 EZHub, which upon closer inspection turned-out to be a "switched hub". The second hub I tried was a Linksys 10/100 hub, which turned-out to be yet another "switched hub". Unlike the SMC hub, the Linksys hub mentioned absolutely nothing in the documentation/features about it being a switched hub.

-After 3 return trips to the store, it is my conclusion that the only cheap way to get a dedicated snort box to work is by getting yourself a true 10baseT hub...nothing fancy, no additional "features". This way, you'll be assured that you will be getting a classic repeater hub.