Snort mailing list archives
Re: Snort on span port
From: SN ORT <snort_on_acid () yahoo com>
Date: Thu, 12 Aug 2004 12:51:58 -0700 (PDT)
Hey man don't be dis'ing my net engineers! J/K. Ok, so if I remember correctly, root-bridges are like only for vlan trunking protocol and elections and what-not of switches that will act as root bridges. All they do is keep track of vlans. Not sure what this has to do with port spanning/monitoring. Your engineers should be spannig at the physical layer and not the vlan layer. They should be spanning the physical ports that the vlans are trunked on and connected to each other. Nevermind the gibberish about Cisco switches not keeping up with spanning...hogwash! You assign vlans and trucks to ports, all the engineers need to worry about are physically spannning those ports to your ports. IOW, let's say my trunk port is port one on one of the switches. The port is either part of the backbone or at least connects to the other switches. Now let's say your IDS is connected to port two. All the engineer has to do is get on the switch, go to port 2 and type in "port monitor fa0/1" Then you'd be set! Cheese! Marc
--__--__-- Message: 1 Date: Wed, 11 Aug 2004 00:01:41 -0700 From: Charles Heselton <charles.heselton () gmail com> To: Ilango S Allikuzhi <ilangoallikuzhi () dtcc com> Subject: Re: [Snort-users] Snort on span port Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> ----- Original Message ----- From: Ilango S Allikuzhi <ilangoallikuzhi () dtcc com> Date: Thu, 5 Aug 2004 11:23:00 -0400 Subject: [Snort-users] Snort on span port To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> We are deploying SourceFire (snort network sensor) appliances to capture traffic on a VLAN that spans 4 Cisco Catalyst 5500 switches (Cat OS), connected on a trunk. I looked at the data, connecting to the span port of each of the switches; these span ports are supposed to be well configured by competent engineers and are in use for a long time for network sniffing through NAI distributed network sniffer. I am connecting the snort appliance in parallel with NAI sniffer using a 100 MB/s hub. I see less than 0.2 MB/s traffic on 3 of these switches while I see over 2 MB/s sustained traffic when connected to the span port of one of the switches. So i decided to connect the IDS to the span port of this switch. I initially thought that I would see the same traffic on all 4 switches as they are trunked and after this exercise, I realized the entire traffic of the VLAN can be sniffed only on one of the switch's span port. A network engineers clarified that ONLY the root bridge on the VLAN would see all the traffic and the root bridge could change after a re-election when the current root goes down. The question is how do I ensure that I always capture the entire VLAN traffic, irrespective of which switch is the "root bridge". Should I have IDS sensors on the span port of all the switches in this kind of scenario? Is there any better solution? I keep hearing of Cisco terminology VACL to configure the port on which IDS sits? Is it better than using span port ?? I would appreciate if some one shares their experience dealing with this kind of situation. Thanks, Ilango I work in an environment where all of our network traffic is captured through Cisco Switch Spanning, and I have never experienced a problem related to whichever switch might be the "root bridge" for the VLAN. However, I am not a network engineer by any means, I am an IDS engineer. So you may want to take what I say with a grain of salt. In my experience, "userland" VLANS are spanned to a "monitoring" trunk VLAN on an alternate switch port. The IDS either sits on that port, or (depending upon the capabilities of the switch) that port is then SPAN'd/RSPAN'd to another switch, which then locally SPANs the traffic to the IDS promiscuous interface. This whole configuration depends on your architecture, the capability of your switch infrastructure, and can vary accordingly. Somethings to consider are 1) how much traffic SHOULD be traversing the VLANS that you are monitoring on the one that is seeing less bandwidth? Is that typical or atypical? 2) How many VLANS are you dealing with? 3) What type of traffic do you actually see on the port with less bandwidth? It's really difficult to speak intelligently about your situation without knowing more about your architecture. If you would like to email me off-list to provide more detail about your infrastructure, I might be able to help more. Basically, I don't know anything about VACL's, but we've been able to accomplish most of the visibility that we need through the mixture of local SPAN sessions and RPSAN sessions (remote). You should be able to do the same (depending on the capabilities of your switches). -- Charlie Heselton Network Security Engineer
__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on span port Ilango S Allikuzhi (Aug 09)
- Re: Snort on span port Charles Heselton (Aug 11)
- <Possible follow-ups>
- Re: Snort on span port Michael J. Pelletier (Aug 11)
- Re: Snort on span port TKaroutsos (Aug 11)
- Re: Snort on span port Michael J. Pelletier (Aug 11)
- Re: Snort on span port Rich Adamson (Aug 11)
- Re: Snort on span port Michael J. Pelletier (Aug 11)
- Re: Snort on span port SN ORT (Aug 12)
- Re: Snort on span port Michael J. Pelletier (Aug 12)
- Fwd: Snort on span port Charles Heselton (Aug 14)
- Re:Snort on span port SN ORT (Aug 16)
- RE: Snort on span port Douglas McCrea (Aug 17)