Snort mailing list archives
RE: Snort on span port
From: "Douglas McCrea" <dmccrea () rutgers edu>
Date: Tue, 17 Aug 2004 09:15:01 -0400
Data will only go to the switch if there is a device on that switch in the proper VLAN. For instance, if you have four VLANS (1-4) and you have the following setup: Switch Name VLANS currently being used by devices (VLANS are trunked using 802.1Q) Switch1 1 Switch2 1,2 Switch3 2,3,4 Switch4 4 You should monitor Trunk with your Span port on Switch 3, which will at least show all the traffic for VLANS 2,3,4 assuming your devices are on 24 hours a day. You could improve this by setting up a hardened, multihomed system that just listens on four different ports, each NIC/port combo designated to one of the VLANs. This would pull traffic more readily. I've also been doing some thinking about this also... Would it be possible to plug into the aggregate switch using a fiber NIC? Anyway, the best way to do this would be a tap- I don't have the luxury, so I monitor trunk on my busiest switches. Eventually I'm going to set up the multi-homed system with 5 VMware honeypots that listen on all ports, I just haven't had the time. -Doug Assistant Director, IT Rutgers University -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Charles Heselton Sent: Wednesday, August 11, 2004 3:02 AM To: Ilango S Allikuzhi Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort on span port ----- Original Message ----- From: Ilango S Allikuzhi <ilangoallikuzhi () dtcc com> Date: Thu, 5 Aug 2004 11:23:00 -0400 Subject: [Snort-users] Snort on span port To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> We are deploying SourceFire (snort network sensor) appliances to capture traffic on a VLAN that spans 4 Cisco Catalyst 5500 switches (Cat OS), connected on a trunk. I looked at the data, connecting to the span port of each of the switches; these span ports are supposed to be well configured by competent engineers and are in use for a long time for network sniffing through NAI distributed network sniffer. I am connecting the snort appliance in parallel with NAI sniffer using a 100 MB/s hub. I see less than 0.2 MB/s traffic on 3 of these switches while I see over 2 MB/s sustained traffic when connected to the span port of one of the switches. So i decided to connect the IDS to the span port of this switch. I initially thought that I would see the same traffic on all 4 switches as they are trunked and after this exercise, I realized the entire traffic of the VLAN can be sniffed only on one of the switch's span port. A network engineers clarified that ONLY the root bridge on the VLAN would see all the traffic and the root bridge could change after a re-election when the current root goes down. The question is how do I ensure that I always capture the entire VLAN traffic, irrespective of which switch is the "root bridge". Should I have IDS sensors on the span port of all the switches in this kind of scenario? Is there any better solution? I keep hearing of Cisco terminology VACL to configure the port on which IDS sits? Is it better than using span port ?? I would appreciate if some one shares their experience dealing with this kind of situation. Thanks, Ilango I work in an environment where all of our network traffic is captured through Cisco Switch Spanning, and I have never experienced a problem related to whichever switch might be the "root bridge" for the VLAN. However, I am not a network engineer by any means, I am an IDS engineer. So you may want to take what I say with a grain of salt. In my experience, "userland" VLANS are spanned to a "monitoring" trunk VLAN on an alternate switch port. The IDS either sits on that port, or (depending upon the capabilities of the switch) that port is then SPAN'd/RSPAN'd to another switch, which then locally SPANs the traffic to the IDS promiscuous interface. This whole configuration depends on your architecture, the capability of your switch infrastructure, and can vary accordingly. Somethings to consider are 1) how much traffic SHOULD be traversing the VLANS that you are monitoring on the one that is seeing less bandwidth? Is that typical or atypical? 2) How many VLANS are you dealing with? 3) What type of traffic do you actually see on the port with less bandwidth? It's really difficult to speak intelligently about your situation without knowing more about your architecture. If you would like to email me off-list to provide more detail about your infrastructure, I might be able to help more. Basically, I don't know anything about VACL's, but we've been able to accomplish most of the visibility that we need through the mixture of local SPAN sessions and RPSAN sessions (remote). You should be able to do the same (depending on the capabilities of your switches). -- Charlie Heselton Network Security Engineer ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on span port Ilango S Allikuzhi (Aug 09)
- Re: Snort on span port Charles Heselton (Aug 11)
- <Possible follow-ups>
- Re: Snort on span port Michael J. Pelletier (Aug 11)
- Re: Snort on span port TKaroutsos (Aug 11)
- Re: Snort on span port Michael J. Pelletier (Aug 11)
- Re: Snort on span port Rich Adamson (Aug 11)
- Re: Snort on span port Michael J. Pelletier (Aug 11)
- Re: Snort on span port SN ORT (Aug 12)
- Re: Snort on span port Michael J. Pelletier (Aug 12)
- Fwd: Snort on span port Charles Heselton (Aug 14)
- Re:Snort on span port SN ORT (Aug 16)
- RE: Snort on span port Douglas McCrea (Aug 17)