Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] one way traffic?

from [Bamm Visscher] Network Security [Permanent Link]
Subject: Re: [Snort-users] one way traffic?
Date: Fri, 8 Dec 2006 08:21:51 -0700 
Is this a SingleStream SPAN aggregation tap or a SingleStream Link
aggregation tap? If it's a SPAN aggregation tap, I'd check to make
sure the SPAN is setup correctly or hasn't "failed". If a switch gets
overloaded, it'll stop passing packets to the SPAN before it will
impact an active port. In my experience, most switches will leave the
SPAN down or crippled until the admin manually brings it back up.

I'd also try this:

Verify that you are only seeing tfc to the host
tcpdump -c 50 -i eth1 vlan and host xxx.xxx.xxx.xxx

Maybe there isn't any vlan tagging going on for some of the tfc
tcpdump -c 50 -i eth1 host xxx.xxx.xxx.xxx

After that, I think it'd be time to talk to the network guys and see
if they made any changes that would affect data flow past the tap.

Bammkkkk

On 12/8/06, John Hally <JHally@epnet.com> wrote:

Hello All,

I've noticed something strange with snort (2.4.3) and the sguil
log_packets.sh script.  It seems like all of a sudden I'm seeing one-way
traffic.  The sensor is running on Fedora Core5 and I want to say that it
may be attributed to a yum update, but I can't be certain exactly when this
started happening.

Essentially I'm running snort in packet logger mode on a trunk port coming
off an edge router with BPF filters watching a specific host:

snort -l /var/log/snort/sensor/dailylogs/2006-12-08 -b -i eth1 vlan and host
xxx.xxx.xxx.xxx

It seems that the traffic I capture is only destined to the host, not to and
from.  Is it possible something changed as far as the filters?  The traffic
is being captured off of a Gigabit SingleStream tap to a gigabit copper
interface in promisc mode.  I've also tried a SPAN port to the same
interface with the same results.

Thoughts?

Thanks.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] one way traffic?, John Hally
Next by Date:  Re: [Snort-users] one way traffic?, John Hally
Previous by Thread:  [Snort-users] one way traffic?, John Hally
Next by Thread:  Re: [Snort-users] one way traffic?, John Hally
Indexes:  [Date] [Thread] [Top] [All Lists]