Snort mailing list archives
RE: Using snort on a switched network
From: "Blue Knight" <blueknight () nyc rr com>
Date: Sun, 6 Jan 2002 22:37:44 -0500
Hello, There are a few ways of doing IDS (not only snort) on a switched network (and I have set up at least a 1000+ of such systems all over the world (non snort unfortunately)). #1 - Most switches have a mode that allow you to mirror the data of certain ports to one port (this capability is not avaialble on the cheap consumer switches, but even there there is a way to do it.. see #2 or #3). On a Cisco it is called Port spanning but the general term is port mirroing. Basically what you are telling the switch is that you want to send all the data from the ports mirrored to another port when the port mirrored receives traffic. This usually works accept that most lower/middle end switches only allow one port to receive the mirrored data. So if you need other things listening to the data or ability to use a sniffer you need to connect a small hub at that location. #2 Shamiti Tap - There is a company that makes cheap devices that work as a tap on the wire the incoming cable plugs in to it, the outgoing cable plugs in to it and the ids cable plugs in to it. This device is only for listening (perfect for snort) for some IDS that send resets you would not be able to do it via this device. The beuty of it is that this device fails in an open state so you never loose your primary connection just the ability to monitor the network. It works by plugging in the wire from the router device (in home environment, cable modem or DSL Modem) in to the In port of the tap, then you plug in the out cable to the switch, and the IDS to the monitoring port. It is a very nice device and pretty cheap and has good redundancy but not as cheap as #3. #3 Hub - Buy a small hub (4 port - I like to use Netgear since they are pretty nice), connect the cable from router/cable modem/dsl modem to the hub, connect the crossover cable to the hub and the other point to the switch. Then connect the IDs to the hub as well. Since it is a shared medium environment you will be able to monitor this. This is the cheapest way and actually the worst way of doing it since collisions are introduced and the failure of a hub as well. But I figured I will throw it in just in case. Yury German -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Linux Boy Sent: Sunday, January 06, 2002 1:22 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Using snort on a switched network Hello Everyone, One quick question. How does snort do NID on a switched network? Is it less productive on a switched network? The reason is is that I am on a switched network and would like to use snort. However, my whole network is behind our firewall and many people suggested not to run snort on the same machine as the firewall. So if I run snort on another machine outside the firewall, but on the same network as the firewall (also switched), will snort detect port scans, etc. directed towards my firewall and machines behind it? If so, how does it work? Thanks in advance. Mike _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using snort on a switched network Linux Boy (Jan 06)
- Re: Using snort on a switched network James (Jan 06)
- Re: Using snort on a switched network Erik Fichtner (Jan 06)
- Re: Using snort on a switched network Jason Costomiris (Jan 06)
- RE: Using snort on a switched network Blue Knight (Jan 06)