Home page logo

basics logo Security Basics mailing list archives

Re: Snort Help - Network IDS
From: "Brian Whitehead" <brian () whiteheadconsulting com>
Date: Wed, 14 Apr 2004 20:02:27 -0500 (CDT)

Recently I posted a question on different types of monitoring and ids
setups. I have decided to go with snort and have been using it on a
smaller network with no problem. However now, I need to move it to a
production network which will consist of around a 100 servers all linked
through 3com switches and going out through a watchgaurd firewall. I'm
looking for different ways to implement this without setting up another
single point of failure device which our firewall is. I'm not confident
enough yet to risk something like that. I haven't found much information
on packet sniffing when it comes to multiple entry points, found some
info on wiretap, etc. but I've always received such great help on here I
thought I would ask before I decided on something. Would really
appreciate any help, I'm in a heck of a bind right now. Thanks.



Jason Haith


If you don't a single point of failure, such as using it inline between
the firewall and switch, then you will need to setup port monitoring on
your switches.  Some switches cannot do this across stacked switches, so
check the documentation on your switches.  Also, if you are using multiple
VLAN's you will not be able to use a single box, unless it has multiple
NIC's to monitor more than one VLAN.  Basically, the Snort box will be
connected directly to one of the switches and the switch will be
configured to mirror all traffic to the port that it's plugged into. 
Usually this can be configured to monitor either ingress, egress or
traffic both ways.

One thing to note is that the port that the NIDS is connected to cannot
talk on the network.  It can only listen.  So, you will either need to
access it physically at the console or put an additional NIC in the box to
access it remotely.  Again, with the stacked switches this will depend on
the capabilities of the switch.  Some can be managed and actually know
that the ports on the other switches exist, while others will simple know
that the MAC address for several machines exist through a single port.  In
the latter case, you should still be able to monitor all of the traffic in
and out of the single port, but you won't be able to monitor traffic
destined for the same switch if it's not directly connected.  Just make
sure that wherever you connect the NIDS that it can see all of the
machines whose traffic you want to monitor.

I'm sure you might be able to do some confounded setup like mirroring all
traffic on each switch to a single port and then connect that port to the
next switch.  This would mean you would have two connections between each
port.  One that is simply mirroring the traffic and the other that is the
actual uplink.  I'm not sure this kind of setup would be a good idea
though.  You could also put multiple NIC's in the box and connect one to
each switch.  The one downfall I can see to this is that you will see some
traffic more than once as it heads through the switches to get in and out
of the firewall.

Hope this helps.  Sorry if I confuse you.  The new Snort 2.1 book is due
out this month if you need a good reference. 

----------    --------
|switch  |====|IDSBOX|
----------    --------
|switch  |
| switch |

Brian W

Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]