Re: Snort on span port

[Charles Heselton <charles.heselton () gmail com>]

----- Original Message -----
From: Ilango S Allikuzhi <ilangoallikuzhi () dtcc com>
Date: Thu, 5 Aug 2004 11:23:00 -0400
Subject: [Snort-users] Snort on span port
To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net>


We are deploying SourceFire (snort network sensor) appliances to
capture traffic on a VLAN that spans 4 Cisco Catalyst 5500 switches
(Cat OS), connected on a trunk. I looked at the data, connecting to
the span port of each of the switches; these span ports are supposed
to be well configured by competent engineers and are in use for a long
time for network sniffing through NAI distributed network sniffer. I
am connecting the snort appliance in parallel with NAI sniffer using a
100 MB/s hub. I see less than 0.2 MB/s traffic on 3 of these switches
while I see over 2 MB/s sustained traffic when connected to the span
port of one of the switches. So i decided to connect the IDS to the
span port of this switch. I initially thought that I would see the
same traffic on all 4 switches as they are trunked and after this
exercise, I realized the entire traffic of the VLAN can be sniffed
only on one of the switch's span port. A network engineers clarified
that ONLY the root bridge on the VLAN would see all the traffic and
the root bridge could change after a re-election when the current root
goes down.

The question is how do I ensure that I always capture the entire VLAN
traffic, irrespective of which switch is the "root bridge".  Should I
have IDS sensors on the span port of all the switches in this kind of
scenario?  Is there any better solution?  I keep hearing of Cisco
terminology VACL to configure the port on which IDS sits? Is it better
than using span port ??  I would appreciate if some one shares their
experience dealing with this kind of situation.

Thanks, 
Ilango 

I work in an environment where all of our network traffic is captured
through Cisco Switch Spanning, and I have never experienced a problem
related to whichever switch might be the "root bridge" for the VLAN.

However, I am not a network engineer by any means, I am an IDS
engineer.  So you may want to take what I say with a grain of salt. 
In my experience, "userland" VLANS are spanned to a "monitoring" trunk
VLAN on an alternate switch port.  The IDS either sits on that port,
or (depending upon the capabilities of the switch) that port is then
SPAN'd/RSPAN'd to another switch, which then locally SPANs the traffic
to the IDS promiscuous interface. This whole configuration depends on
your architecture, the capability of your switch infrastructure, and
can vary accordingly.

Somethings to consider are 1) how much traffic SHOULD be traversing
the VLANS that you are monitoring on the one that is seeing less
bandwidth?  Is that typical or atypical?  2)  How many VLANS are you
dealing with?  3)  What type of traffic do you actually see on the
port with less bandwidth?  It's really difficult to speak
intelligently about your situation without knowing more about your
architecture.  If you would like to email me off-list to provide more
detail about your infrastructure, I might be able to help more.

Basically, I don't know anything about VACL's, but we've been able to
accomplish most of the visibility that we need through the mixture of
local SPAN sessions and RPSAN sessions (remote).  You should be able
to do the same (depending on the capabilities of your switches).

-- 
Charlie Heselton
Network Security Engineer


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users