Re: [Snort-Users] Is it really a HUB?
This is a discussion on Re: [Snort-Users] Is it really a HUB? within the Snort forums, part of the System Security and Security Related category; If it is really autosensing port speed it is a multiport bridge = (switch?). If it is a single speed device ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-26-2003
|
|||
|
|||
Re: [Snort-Users] Is it really a HUB?
If it is really autosensing port speed it is a multiport bridge =
(switch?). If it is a single speed device with shared bandwidth across all active = ports it is a repeater (hub?). I have no idea where the terms hub and switch fit into the IEEE 802.x = standards, I suspect about the same place telco switches and marketing = fit. Thanks, Charlie >Message: 10 >From: "Petriz, Pablo" <ppetriz@siscat.com.ar> >To: "'snort-users@lists.sourceforge.net'" > <snort-users@lists.sourceforge.net> >Cc: "'ktk@enterprise.bidmc.harvard.edu'" > <ktk@enterprise.bidmc.harvard.edu>, > "'dluff@iitscdm.com.au'" > <dluff@iitscdm.com.au> >Subject: Re: [Snort-users] Is it really a HUB? >Date: Wed, 26 Nov 2003 14:57:22 -0300 > >I want to know if someone on this list is using the Cisco 1538 Micro = Hub for >snorting. > >In the overview pdf of this product says: > >- Autosensing on all ports allows automatic configuration for either = 10BaseT >or >100BaseT connections. >- Built-in high-speed bridge function automatically connects 10BaseT = and >100BaseT >workstations without an external switch or router. >- Embedded switch supports store-and-forward switching and filtering = and >forwarding >rate at full-wire speed. > >So i don't know if snort will see all the traffic on it... > >Thanks, > >PABLO > >> Date: Wed, 29 Oct 2003 15:42:00 -0500 >> From: "Kristofer T. Karas" <ktk@enterprise.bidmc.harvard.edu> >> To: snort-users@lists.sourceforge.net >> CC: Darryl Luff <dluff@iitscdm.com.au> >> Subject: Re: [Snort-users] Is it really a HUB? >>=20 >> Darryl Luff wrote: >>=20 >> > It works as you say. Except that if your station never transmits=20 >> > anything, the switch will not learn your MAC, and will flood all=20 >> > traffic addressed TO YOU out all ports. [snip] >>=20 >> Thanks... >>=20 >> Right, that was the very thought that hit me in the head the=20 >> other night=20 >> as I pondered the issues further. The router with the spanned port=20 >> talks to a small handful of other routers; the only MAC=20 >> addresses seen=20 >> coming in to the hub from that port will therefore be those=20 >> of the other=20 >> routers, all of which will make their way into the hub's MAC table. =20 >> Thus, within a few seconds or so, the small hub will not send=20 >> anything=20 >> to the IDS because it knows that the source and destination MACs all=20 >> reside on the port connected to the router's spanned port;=20 >> ergo, there=20 >> is no need to copy the packets to any of its (the hub's) other ports. = >>=20 >> Bugger. I guess I need to find somebody that makes a small 4-port=20 >> switch where one can configure a port as a promiscuous=20 >> listening interface. >>=20 >> Kris --__--__-- Message>: 11 ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
