IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: about mirroring port

From: "nate" <focus-ids () aphroland org>
Date: Tue, 18 Mar 2003 18:50:53 -0800 (PST)
SB CH said:


hello, all.

I would like to setup ids(like snort) at mirroring port in cisco catalyst
switch.
but all of the network traffic is over 100M, and my linux server which
installs snort is not so good hardware.


your probably better off using freebsd then. I use linux everywhere
except on my NIDS systems :) freebsd is there. I'd kill(almost) for
a Debian/FreeBSD.

also keep in mind port mirroring on a switch for the most part isn't
perfect. I've read many places over time that if the switch's CPU
gets heavily loaded it will randomly drop packets on the mirrored
ports. Higher end switches may work better. Also when talking to
cisco a couple years ago, I was trying to do something similar, however I
was trying to mirror ports that were uplinked to other switches,
not directly connected to systems, and the switch(2900xl for me
at the time) does not support mirroring in such a way(which was
prooven to me by the lack of traffic on the mirrored ports),
according to the cisco rep I talked to. not sure if higher end
switches are differnet. I have a summit 48 here but haven't tried
port mirroring on it.



1. when I setup the mirroring port,all traffic(for example, port2 traffic)
 would transfer like this or just copy the traffic mirroring port too?

 (1) client --> mirroring port1 --> port 2
 (2) client --> port 2
            --> mirroring port (copy too)


I think it usually just copies the traffic on the switch itself.



2. Is there any problem when I set snort at mirroring port if the traffic
is so high(over 100~200M)?


depends on the traffic. my last employer I had 2 snort sensors on
2 T1s averaging ~5% utilization. And running a full blown untuned snort
got me more then 40,000 events per hour. Spending dozens of hours
analyzing and tuning got it down to ~30 events/hour.



3. do you know any commands to setup mirroring port at catalyst 400x(catos
 based) switch?


not off the top of my head, been a while since I tried port mirroring
on a switch.

nate




-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter 
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71
Previous By Date Next
Previous By Thread Next

Current thread: