Re: sniffer black box
From: Bob George (newsgroups02_at_ttlexceeded.com)
Date: Mon, 10 May 2004 20:22:17 -0400
> Yes the famous Snort
> But was your Box an IDS or a snffer liker what I must do ?
Snort can EASILY be configured to do what you're describing. It can be
used in MANY modes, not only IDS. You can sniff everything, or be very
specific about what it logs. I've used it many times for network
testing. All you need to do is master the filter language rules, then
have a basic understanding of what traffic is of interest. There are
existing rules that give plenty of starting points.
> Yes but the great question is : Can we use Snort only to log the traffic
> with the following information :
> the Source IP (or more)
> - The destination (IP or more)
> - protocol -
> eventually more info like date, filename if ftp etcetc (more info could be
Yes (though may require tweaking existing rules, or creating new ones --
> I know that Snort is a good IDS, and it contains a sniffer mode, but the
> other question is : what is better between using Snort sniffer mode (The log
> seems to be hard to parse)
That's more of a report tool function. There are several you can modify,
depending on what you want.
> and using Snort in IDS mode and set the rules for
> a full sniffer use (I don't know if it is possible)
Well, in looose terms, a NIDS is a "sniffer" that looks for specific
(configurable) patterns, so yes.
> I precise that for the moment I do not want IDS functions ... just analyse
> the using of the LAN by everybody
Don't get too caught up on the term "IDS". Snort can be used in many
modes, including exactly what you're describing.
> I think that I will run it on gentoo, but is a linux will be enought
> powerfull with eth0 ?
That will depend on what you try to capture. The trick is to have JUST
ENOUGH rules to capture what's of interest, while letting the
uninteresting traffic go by without logging etc.
As far as sniffing on a switched network: Short of doing something like
ARP spoofing, your best bet is to position the "black box" in a location
where it will see all of the traffic of interest. If you're interested
in Internet usage, then put it near the Internet ingress/egress point
(firewall likely). Most higher end switches support a "span" (cisco) or
monitor port of some sort which will let you see ALL traffic on the
switch (or at least the firewall interface port) for monitoring. I've
done this with various Cisco, and recently 3Com gear.