Re: sniffer black box

From: Maxime Ducharme (maxime_at_pandore-designSPAMISBAD.com)
Date: 10/30/03 

Date: Thu, 30 Oct 2003 10:16:19 -0500

"Nosnos" <nosnos94@_NO_wanadoo_SPAM_.fr> wrote in message
news:bnqj59$83v$1@s1.read.news.oleane.net...
>
> > Hi
> Hi thx for your answer
>

Hi again

> >
> > I did the same thing with Snort NIDS : http://www.snort.org/
> Yes the famous Snort
> But was your Box an IDS or a snffer liker what I must do ?

No

>
> >
> > Snort can be configured to generate alerts based packets it sees,
> > and it is highly configurable.
> Yes but the great question is : Can we use Snort only to log the traffic
> with the following information :
> the Source IP (or more) - The destination (IP or more) - protocol -
> eventually more info like date, filename if ftp etcetc (more info could be
> appreciate)
>
> I know that Snort is a good IDS, and it contains a sniffer mode, but the
> other question is : what is better between using Snort sniffer mode (The
log
> seems to be hard to parse) and using Snort in IDS mode and set the rules
for
> a full sniffer use (I don't know if it is possible) and let the large
tools
> avaible reading logs/DataBase produce by the IDS to analyse the traffic
> .....

Depends if you want to log every traffic or only suspicious traffic

I would suggest sniffer mode with some rules to makes logs easier to parse

>
> I precise that for the moment I do not want IDS functions ... just analyse
> the using of the LAN by everybody
> >

Like Florian said, ipaudit would be nice too

> > It can send alerts via email, SMB messages (windows), etc
> > and log everything in a log file, in a database, ...
> Yes I saw it, it is very powerfull
>
> >
> > You may also tell Snort to log the content of these suspicious
> > packets, so you may do more precise analysis of "what was
> > going on yesterday night when the bandwidth peaked".
> >
> > I usually run Snort on linux, you may see on this link which OS
> > Snort can run on :
> > http://www.snort.org/about.html
> I think that I will run it on gentoo, but is a linux will be enought
> powerfull with eth0 ?

my box ran on 40 mbits traffic without problems

>
> >
> > For real-time network analysis, I also recommend ntop from
> > http://www.ntop.org/ , with this tool you can fastly determine
> > which protocols are used on the network.
> >
> > ex (Ntop has a web based interface) http://www.ntop.org/ntop2.jpg
> >
> > but it cannot detect suspicious activity like Snort could do.
> Ok Thx I will test it
>
> >
> > Hope it helps
> Sure it helps me, thx a lot
> >
> > Ciao
> ++
> A bientot ;)

À plus :-]

---------------------------------------------------------------
   Maxime Ducharme
   Administrateur reseau, Programmeur