Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
1.) eth0 is brought-up in stealth mode (no ip)
2.) var HOME_NET <IP of the firewall/NAT box (assigned by ISP dhcp)>
3.) var EXTERNAL_NET $!HOME_NET
Snort is started in IDS mode by doing:
#snort -D -i eth0 -p -c /etc/snort/snort.conf
PROBLEM:
1.) In packet dump mode, I can only see broadcast traffic...just ARP requests on the other side of the cable modem and nothing else
2.) In IDS mode, nothing gets logged, nothing is triggered (probably because snort is only seeing broadcast traffic).
QUESTION:
1.) I'm guessing that the problem is with my dual speed hub (10/100). If I replace the 10/100 hub with a single-speed 10mbps hub, will it correct the problem?
2.) Has anyone had success with a similar setup? If so, care to explain how you did it?
i don't think it's the fact the hub is dual speed, but if it not really a hub, and it's a switch (a ot of new "hubs" using switching technology) you won't see anything.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Your "hub" is really a "switch". Hubs are shared media, switches have dedicated bandwidth. On a hub, all devices see all traffic because it's sent to every port. On a switch traffic is sent directly to the port that has the MAC address which should receive it.
If you want to be able to sniff traffic of all the devices plugged into your network, you will need a hub instead of a switch (the speed is irrelevant, but for performance you should get 100Mbs). Alternatively, many enterprise-grade switches have what's known as a "spanning" port, that is a port which either receives all traffic (just like with a hub) or it can be configured to receive traffic for specific ports. In any case, these are usually expensive but you might be able to find a used one on eBay or at a local used computer shop.
I guess I just answered my question. I replaced my SMC 10/100 "hub" (actually a switched hub), with a cheapo Netgear 10baseT hub and now Snort is working perfectly.
Thanks to chort for pointing that out!
PS: A word of caution to all those out there wanting to attempt this project:
-Be cautious of hubs that are marketed as "hubs". My first "hub" was a SMC 10/100 EZHub, which upon closer inspection turned-out to be a "switched hub". The second hub I tried was a Linksys 10/100 hub, which turned-out to be yet another "switched hub". Unlike the SMC hub, the Linksys hub mentioned absolutely nothing in the documentation/features about it being a switched hub.
-After 3 return trips to the store, it is my conclusion that the only cheap way to get a dedicated snort box to work is by getting yourself a true 10baseT hub...nothing fancy, no additional "features". This way, you'll be assured that you will be getting a classic repeater hub.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.