Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Multiple IP (ethernet switches vs hubs)

From: "Semerjian, Ohanes" <Semerjian.Ohanes () wcom com au>
Date: Tue, 4 Jun 2002 07:46:22 +0800
You could do port mirroring on the switch to get the traffic for all other
ports. Placing a hub after internet routers is not the best way.

Best Regards

Ohanes Semerjian


-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com]
Sent: Tuesday, 4 June 2002 5:42
To: Salvatore Basso; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Multiple IP (ethernet switches vs hubs)


HOME_NET [ip1/32, ip2/32] is the proper format for 2 ip addresses (note the 
addition of the /32 netmask). If you want to do a whole subnet, change the 
/32 to the appropriate netmask size.

As far as the switched ethernet goes, if you're using an ethernet switch 
instead of a hub on your network your snort box will not see the traffic 
being sent to other machines. An ethernet switch is a somewhat intelligent 
version of a hub that automatically builds tables of what MAC addresses are 
on each port, based on past traffic. When a normal unicast packet comes 
into a switch, it will only go out the one port which has that machine 
connected to it. This greatly reduces collisions and improves network 
performance.


Thus a snort sensor on a different switch will not be able to see most 
traffic bound for other machines on other switch ports. A hub on the other 
hand echoes traffic to all of its outbound ports, so the snort machine will 
see traffic bound for it's neighbors, but that increases collisions and 
reduces network performance.

I've mentioned on the list before that I use a setup like the one below to 
monitor all traffic to-and-from the internet on my network and should work 
well for any less-than 3mbit/sec internet connection. I'm using fairly 
conservative numbers so that the 10mbit hub is no problem, any more than 
3mbit in both directions simultaneously and the hub could get collision 
saturated depending on what's going on. It could also work very well up to 
6-8mbit/sec if it's almost all going in one direction.


(internet router)
      |
      |
(10mbit hub)    ----  snort sensor
      |
      |
(ethernet switch)
   /   |   \
(various workstations)


If you have a faster line, use a 100mbit hub and that should carry up to 
20-30mbit/sec in both directions, but make sure all the ports are set up 
with 100mbit links, don't rely on the "10/100 auto-switching" feature of 
some hubs. If you have a faster setup still, get a high-end switch with a 
mirror port, but if you're running a T3 or better you should already know 
this kind of equipment.


At 09:45 AM 6/3/2002 +0200, Salvatore Basso wrote:

Hello, thanks for the answer...
therefore I must modify the file snort.conf therefore:
var HOME_NET [ ip1, ip2 ]
just?
excuse but I must makes an other question you, what you mean for:
NOT * on to switched ethernet port ? thanks.

        -Salvatore.


----- Original Message -----
From: "matt" <mkettler () evi-inc com>
To: "Salvatore Basso" <sasab () pixteam com>;
<snort-users () lists sourceforge net>
Sent: Saturday, June 01, 2002 10:22 PM
Subject: Re: [Snort-users] Multiple IP



Modify the HOME_NET variable in snort.conf, and make sure that you are
*NOT* on a switched ethernet port.  (if you're switched, traffic for

other

machines won't show up on your ethernet port, so it won't matter how

snort

is configured.)

That's all you should need to do on a *NIX setup, and I assume there's
nothing extra for Win32, but that's a bit of a strange build that I've

not

used so I cannot speak conclusively on the matter.


At 06:55 PM 5/31/2002 +0200, Salvatore Basso wrote:

Hi, I use the version for windows, and have the requirement of

monitoring

more IP addresses, have read that it must modify the file of

configuration

but in which point? thanks.

        -Salvatore.






_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: