IDS mailing list archives
RE: snort- problems
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Wed, 6 Aug 2003 14:24:48 -0500
Rishi, #I am new to security and IDS in general. Welcome. Panic and run away now if you can. #1) I was led to believe that Snort can run on one machine and monitor #specific IPs, which I would like to because not all machines on our #subnet are part of our office nor are they serially assigned. However, #snort is monitoring only the machine that it is installed on. Am i #missing something here or do I need another product? Snort, and any NIDS (network-based IDS) are essentially just like sniffers for the purpose of monitoring traffic. If you use hubs in your environment, every interface sees every packet, so you can simply plug a NIDS into a hub and see all the rest of the traffic on that hub... In a switched environment, unicast traffic only goes to the physical port on the switch that it's destination host is attached to. In that setup, you will only see (a) broadcast traffic and (b) traffic destined for your specific node/switch port. Most switches today have functionality to monitor traffic crossing the backplane of the switch. Some vendors call it a mirror port, some call it a monitor port, some call it a span port (Cisco). If you setup a span port, you can see all traffic crossing the backplane of that switch. Cisco also supports rspan, which allows you to remotely span *other* switches in your network from one port. I am not aware of any other switch vendors who do this (i.e.-someone asked this about Foundry earlier and they do not have this functionality yet). So if your network is switched, and your switch fabric is distributed at multiple sites, you are likely going to need more than one NIDS sensor (snort or otherwise) to monitor your environment. Even if you can rspan everything, the performance impact of doing this from remote sites will probably be a killer. Cheers, Arian Evans Sr. Security Engineer FishNet Security Phone: 816.421.6611 Toll Free: 888.732.9406 Fax: 816.421.6677 http://www.fishnetsecurity.com The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system. --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- snort- problems Rishi Pande (Aug 06)
- Re: snort- problems Alfredo Octavio (Aug 06)
- <Possible follow-ups>
- RE: snort- problems Evans, Arian (Aug 06)