Re: can snort help detect bad spans?

[Joel Esler <jesler () sourcefire com>]

I agree with that as well, there are probably better tools for it, but yes, you can find it in Snort, if the span port 
becomes saturated.

J

On Mar 21, 2011, at 7:57 PM, Jason Wallace wrote:

> I could be wrong, but I don't see how Snort could identify that type
> of issue. You would be better off monitoring the span port with Cacti
> and generating an alert when the port is at a high utilization level
> for a given amount of time.
>
> Damn those network guys!
>
> Thx,
> Wally
>
> On Mon, Mar 21, 2011 at 7:21 PM, Jason Haar <Jason.Haar () trimble co nz> wrote:
> > Hi there
> >
> > We recently had an incident where an existing SPAN port had been allowed
> > to get overloaded by the network group: you know, they spanned a VLAN
> > and then upgraded from 100M to 1G switches without thinking the 100M
> > SPAN port might struggle ;-)
> >
> > Anyway, is there any way snort could pick that up? I'm thinking the TCP
> > streams must have been seriously corrupted for starters (i.e sequence
> > numbers with huge gaps) - does that show up in the stats anywhere?
> >
> > Any other ideas for monitoring the quality of SPANs?
> >
> > --
> > Cheers
> >
> > Jason Haar
> > Information Security Manager, Trimble Navigation Ltd.
> > Phone: +64 3 9635 377 Fax: +64 3 9635 417
> > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> >
> >
> > ------------------------------------------------------------------------------
> > Enable your software for Intel(R) Active Management Technology to meet the
> > growing manageability and security demands of your customers. Businesses
> > are taking advantage of Intel(R) vPro (TM) technology - will your software
> > be a part of the solution? Download the Intel(R) Manageability Checker
> > today! http://p.sf.net/sfu/intel-dev2devmar
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ------------------------------------------------------------------------------
> Enable your software for Intel(R) Active Management Technology to meet the
> growing manageability and security demands of your customers. Businesses
> are taking advantage of Intel(R) vPro (TM) technology - will your software 
> be a part of the solution? Download the Intel(R) Manageability Checker 
> today! http://p.sf.net/sfu/intel-dev2devmar
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net
Twitter: @snort


------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users