Snort mailing list archives
RE: Switched network woes..
From: "Abe L. Getchell" <abegetchell () home com>
Date: Mon, 14 Jan 2002 22:52:07 -0500
Hi Joe! Throw extra NICs in the sensor(s). As long as you're not moving more data than the box can handle across multiple interfaces without dropping packets, you'll have a cheap, simple solution. If you have a box with multiple procs, and running your sensor on an OS that supports binding processes to specific procs, you could run multiple instances of Snort each monitoring an interface having it's own dedicated processor. This would help to avoid context-switching overhead, etc. Just a thought, YMMV. FWIW, you'll most likely see the 450T code, within the next three months, be able to do many-to-one and one-to-many mirrors. I guess there were some cool things that came out of Nortel buying Alteon Web Systems after all. =) Thanks, Abe -- Abe L. Getchell Security Engineer abegetchell () home com
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Joe Pampel Sent: Monday, January 14, 2002 10:16 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Switched network woes.. Hi all.. It was the best of times, it was, well, also a pain in the rear. No more hubs for my little corner of the universe and now that the firewall is clustered I am presented with an irritating IDS situation: Each switch only allows one port to be mirrored - eg: one monitor port and one port where you watch all traffic. (Nortel 450-24T's fwiw) The switches that the firewalls go into are cascaded, (one FW nic into each sw) on both the inside and outside.. so it would appear I need 4 sensors just to watch the firewalls now.. is there a shortcut for this? (short of plugging back into hubs!) it would be nice if there was some way to sniff off the VIP of the FW cluster.. although I don't see how that would work... I can get it down to 3 easily by just monitoring the edge router ethernet port and massaging the snort config to ignore all the stuff that's not ours.. how can I get back to 2 sensors? Any brilliant shortcuts for this? I don't see any way around 3-4 sensors but just thougth I'd ask.. If the cluster expands I won't be able to fully monitor it.. and I've gotten really used to monitoring it. Thx, - Joe _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Switched network woes.. Joe Pampel (Jan 14)
- RE: Switched network woes.. Abe L. Getchell (Jan 14)
- <Possible follow-ups>
- RE: Switched network woes.. d'Ambly, Jeff (Jan 14)