Hosting Provided By

RE: snort- problems

From: Evans, Arian <Arian.Evans(at)fishnetsecurity.com>
Date: Wed Aug 06 2003 - 15:24:48 EDT

Rishi,

#I am new to security and IDS in general.

Welcome. Panic and run away now if you can.

#1) I was led to believe that Snort can run on one machine and monitor

Snort, and any NIDS (network-based IDS) are essentially just like sniffers for the purpose of monitoring traffic.

If you use hubs in your environment, every interface sees every packet, so you can simply plug a NIDS into a hub and see all the rest of the traffic on that hub...

In a switched environment, unicast traffic only goes to the physical port on the switch that it's destination host is attached to. In that setup, you will only see (a) broadcast traffic and (b) traffic destined for your specific node/switch port.

Most switches today have functionality to monitor traffic crossing the backplane of the switch. Some vendors call it a mirror port, some call it a monitor port, some call it a span port (Cisco). If you setup a span port, you can see all traffic crossing the backplane of that switch.

Do you need help?

Cisco also supports rspan, which allows you to remotely span *other* switches in your network from one port. I am not aware of any other switch vendors who do this (i.e.-someone asked this about Foundry earlier and they do not have this functionality yet).

So if your network is switched, and your switch fabric is distributed at multiple sites, you are likely going to need more than one NIDS sensor (snort or otherwise) to monitor your environment. Even if you can rspan everything, the performance impact of doing this from remote sites will probably be a killer.

Cheers,

Arian Evans
Sr. Security Engineer
FishNet Security

Phone: 816.421.6611
Toll Free: 888.732.9406
Fax: 816.421.6677

http://www.fishnetsecurity.com

The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.

Captus Networks - Integrated Intrusion Prevention and Traffic Shaping

Instantly Stop DoS/DDoS Attacks, Worms & Port Scans

Automatically Control P2P, IM and Spam Traffic

Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm

Received on Wed Aug 6 15:32:25 2003

This message: [ Message body ]
Next message: Bennett Todd: "Re: IDS is dead, etc"
Previous message: Alfredo Octavio: "Re: snort- problems"
Maybe in reply to: Rishi Pande: "snort- problems"
In reply to Auro Pontes: "RES: snort- problems"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:16 EDT

Do you need more help?