sniffer black box

> Depends if you want to log every traffic or only suspicious traffic
>
> I would suggest sniffer mode with some rules to makes logs easier to parse
OK

> >
> > >
> > > You may also tell Snort to log the content of these suspicious
> > > packets, so you may do more precise analysis of "what was
> > > going on yesterday night when the bandwidth peaked".
> > >
> > > I usually run Snort on linux, you may see on this link which OS
> > > Snort can run on :
> > > http://www.snort.org/about.html
> > I think that I will run it on gentoo, but is a linux will be enought
> > powerfull with eth0 ?
>
> my box ran on 40 mbits traffic without problems
I want to know if your black box can work on a lan with Switch ?
Where is your BB on your network ? It must surely be on the proxy, isn't it
? If it not, how could it analyse all trafics if the lan is connectd by
switch ?

The box must be placed ear the output on the internet ... so it must have 2
network cards ? one for the input data (from the company network), the
second for the output data (so the same data) that go toward the net ?

++

Nosnos wrote:
> [...]
> Yes the famous Snort
> But was your Box an IDS or a snffer liker what I must do ?

Snort can EASILY be configured to do what you're describing. It can be
used in MANY modes, not only IDS. You can sniff everything, or be very
specific about what it logs. I've used it many times for network
testing. All you need to do is master the filter language rules, then
have a basic understanding of what traffic is of interest. There are
existing rules that give plenty of starting points.

> Yes but the great question is : Can we use Snort only to log the traffic
> with the following information :
> the Source IP (or more)

Yes (easy)

> - The destination (IP or more)

Yes (easy)

> - protocol -

Yes (easy)

> eventually more info like date, filename if ftp etcetc (more info could be
> appreciate)

Yes (though may require tweaking existing rules, or creating new ones --
not hard.)

> I know that Snort is a good IDS, and it contains a sniffer mode, but the
> other question is : what is better between using Snort sniffer mode (The log
> seems to be hard to parse)

That's more of a report tool function. There are several you can modify,
depending on what you want.

> and using Snort in IDS mode and set the rules for
> a full sniffer use (I don't know if it is possible)

Well, in looose terms, a NIDS is a "sniffer" that looks for specific
(configurable) patterns, so yes.

> I precise that for the moment I do not want IDS functions ... just analyse
> the using of the LAN by everybody

Don't get too caught up on the term "IDS". Snort can be used in many
modes, including exactly what you're describing.

> I think that I will run it on gentoo, but is a linux will be enought
> powerfull with eth0 ?

That will depend on what you try to capture. The trick is to have JUST
ENOUGH rules to capture what's of interest, while letting the
uninteresting traffic go by without logging etc.

As far as sniffing on a switched network: Short of doing something like
ARP spoofing, your best bet is to position the "black box" in a location
where it will see all of the traffic of interest. If you're interested
in Internet usage, then put it near the Internet ingress/egress point
(firewall likely). Most higher end switches support a "span" (cisco) or
monitor port of some sort which will let you see ALL traffic on the
switch (or at least the firewall interface port) for monitoring. I've
done this with various Cisco, and recently 3Com gear.

- Bob