Snort mailing list archives
RE: Understanding IDS & TAPS
From: "Nigel Clarke" <nigel () forever-networks com>
Date: Wed, 18 Dec 2002 14:26:05 -0800
To answer your networking questions, read "Interconnections" by Radia Perlman. A switch manages VLANs in software. Let's say you have a 20 port switch, and you need to create two VLANs. You could assign ports 1 - 10 to VLAN A and ports 11 - 15 to VLAN B. The remaining ports could be saved for another VLAN. This is not a good idea. There are exploits that allow a hacker to bypass VLANS. Let me know if this helps. -- Nigel Clarke Forever Networks Network Security Engineer Consultant *********www.forever-networks.com************ -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Carleton, Sam (SCI TW) Sent: Wednesday, December 18, 2002 10:49 AM To: 'twig les'; 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] Understanding IDS & TAPS Read theory? Well, learning more about TCP/IP is on my hit list of things to do. So, if my understanding of your short answer is correct, you said: The switch either needs a port that all traffic goes to or it must be able to be configured to sends packets from one port to another, based on MAC address. Now Netgear has this switch FSM726S which is a "managed switch". Is my impression correct that a "managed switch" is one that can be configured to send the packets from Port A's and Port B's ports to the IDS's port? Where can I go to learn more about this networking stuff, primarily what a managed switch is and what all one can do with it. If my impression is correct, one managed switch could be used to create multiple isolated networks. In other words, I am under that by configuring this Netgear switch so that one set of ports are for the DMZ and another set of ports are for the internal network, I could have one switch with two networks. This is apposed to having to have two physical switch's, one for the DMZ and one for the internal network. Oh, wait a second. I just had a thought. Does it HAVE to be a switch between the TAP and the IDS? Can I use a HUB? The only reason I could see a HUB being a problem is if a packet of info came in on both Port A & B at the same time. Sam -----Original Message----- From: twig les [mailto:twigles () yahoo com] Sent: Wednesday, December 18, 2002 12:54 PM To: Carleton, Sam (SCI TW); 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Understanding IDS & TAPS Your questions span (pun!) more than the IDS field. Pick up a good book on switches or at least something that explains the OSI model. As loath as I am to recommend reading theory, it really applies. A short answer is that switches forward packets out of specific ports based on a table they keep. The table correlates MAC address<->port relationships. To sniff on a switch you need one of two things: a port that the switch sends ALL traffic to, regardless of the destination MAC, or a piece of software like Ettercap that does massive ARP poisoning. For multiple obvious reasons you prolly want to stick to the former. --- "Carleton, Sam (SCI TW)" <Sam_Carleton_TW () stercomm com> wrote:
Folks, I understand the IDS and TAPS, but not completely. The main thing is the physical hookup of the TAP to the IDS. I don't understand the "100Mb IDS Tapping Diagram (with only 100bt span port)" diagram. The switch being used, can it be any old switch or does it have to be something that is programmable? What I don't understand is how the traffic gets through the switch. How does the switch know where to send the packets which are coming in from the Port A and Port B? Sam
-------------------------------------------------------
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now! Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap, MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== ----------------------------------------------------------- If you give a man a fish, he can eat for a day If you bludgeon him to death, you can eat the fish yourself ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.NET email is sponsored by: Order your Holiday Geek Presents Now! Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap, MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.NET email is sponsored by: Geek Gift Procrastinating? Get the perfect geek gift now! Before the Holidays pass you by. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Understanding IDS & TAPS Carleton, Sam (SCI TW) (Dec 18)
- Re: Understanding IDS & TAPS twig les (Dec 18)
- <Possible follow-ups>
- RE: Understanding IDS & TAPS Carleton, Sam (SCI TW) (Dec 18)
- RE: Understanding IDS & TAPS Nigel Clarke (Dec 19)
- RE: Understanding IDS & TAPS Carleton, Sam (SCI TW) (Dec 18)
- Re: Understanding IDS & TAPS Matt Kettler (Dec 18)