Snort mailing list archives

switched environment

From: "M. Yu" <myu () websprinter net>
Date: Thu, 22 May 2003 23:41:36 +0800



Hello all,

I'm new to the list and I am planning to deploy a NIDS on our network and am
currently testing snort.  My network is pretty flat where we have a core
switch (3Com 3C16985B SuperStack3) connecting servers (DNS, mail, etc.) and
1 Cisco router to the Internet.  Additionally, we have a cable modem
termination system (CMTS) acting as a bridge between the cable modems and
the switched lan.  Although the switch has a roving analysis port where I
can put a snort, I doubt that putting it on 1 100 full-duplex port will
enable it to monitor 12 other 100 full duplex ports.

I came up with this solution however -- I can put 2 NICs on the snort
machine and configure the switch such that 1 NIC can monitor the Cisco port
and the other NIC can monitor the CMTS port thereby giving me 99% NIDS
coverage.  I can monitor attacks from the Internet to any IP on my lan, and
attacks from my cable modems to anywhere BUT I cannot monitor attacks from
my servers going to other servers on my lan (which is an acceptable
trade-off for a clunky solution).

Question 1: how can I prevent snort from reporting a (for example) NIMDA
attack twice, if the attack is from the Internet to a cable modem or
vice-versa since the attack will be seen on both the Cisco port and the CMTS
port which snort monitors

Question 2: is there a better way to put a NIDS on a switched environment
like mine without resorting to putting a hub inline (tapping into the
physical UTP cables)


Thanks in advance for any help/info!


M. Yu





-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Starter Doubts Marcelo Ribeiro (May 22)
- <Possible follow-ups>
- RE: Starter Doubts Jose Fernandes (IT) (May 22)
  - switched environment M. Yu (May 22)