RE: snort- problems

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

Rishi,

#I am new to security and IDS in general.

Welcome. Panic and run away now if you can.

#1) I was led to believe that Snort can run on one machine and monitor
#specific IPs, which I would like to because not all machines on our
#subnet are part of our office nor are they serially assigned. However,
#snort is monitoring only the machine that it is installed on. Am i
#missing something here or do I need another product?

Snort, and any NIDS (network-based IDS) are essentially just like
sniffers for the purpose of monitoring traffic.

If you use hubs in your environment, every interface sees every packet,
so you can simply plug a NIDS into a hub and see all the rest of the
traffic on that hub...

In a switched environment, unicast traffic only goes to the physical
port on the switch that it's destination host is attached to. In that
setup, you will only see (a) broadcast traffic and (b) traffic destined
for your specific node/switch port.

Most switches today have functionality to monitor traffic crossing the
backplane of the switch. Some vendors call it a mirror port, some call
it a monitor port, some call it a span port (Cisco). If you setup a span
port, you can see all traffic crossing the backplane of that switch.

Cisco also supports rspan, which allows you to remotely span *other*
switches in your network from one port. I am not aware of any other
switch vendors who do this (i.e.-someone asked this about Foundry
earlier and they do not have this functionality yet).

So if your network is switched, and your switch fabric is distributed
at multiple sites, you are likely going to need more than one NIDS
sensor (snort or otherwise) to monitor your environment. Even if
you can rspan everything, the performance impact of doing this
from remote sites will probably be a killer.

Cheers,

Arian Evans
Sr. Security Engineer
FishNet Security

Phone:  816.421.6611
Toll Free:  888.732.9406
Fax:  816.421.6677

http://www.fishnetsecurity.com

The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information 
by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
system.



---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------