[Snort-users] Switched Snort.

Graeme Fowler Graeme.F at ...875...
Tue Jan 2 13:54:13 EST 2001


Scott wrote:
> I'm curious what sorts of solutions people have come up with in
> implementing snort in a large scale switched environment.  Between
> vlan's and port mirroring, or even insertion of a hub, there 
> seem to be a few potential options, all of which have drawbacks...

I'm running Snort (mixed 1.6.3 and 1.7-b3, yes I will upgrade it) as a
sort of 'after the fact' IDS on a very large switched network with
approaching 2000 live IPs (and growing) and multiple connections to the
outside world.

I have it setup so that each of the connections at the site boundary
(leading to providers' routers) are mirrored using Cisco's Switch Port
Analyser on the corresponding switches, and I pump it all into a large
(dual PIII/550, lots of RAM) RedHat 6.0 box using multi-port ethernet
cards. This machine is running MySQL for the logging side of things,
with ACID layered on top for the analysis. Reading text files turned out
to be extremely tedious :)

I have a reasonably cut-down ruleset as I'm not really bothered about
many of the alerts (CGI exploits for example), but it really comes into
its' own when script kiddies arrive and start walking all over the place
looking for vulnerabilities. Since it's set up as a mirror, one
invocation of snort watches both inbound and outbound traffic so I not
only get notified of attacks/scans/dubious inbound activity, I also get
notified if anything odd happens outbound. This can be very useful if
(rare though it is) machines do get compromised. So far it's turned out
to be tremendously helpful.

Obviously it's not the perfect solution - the database can get very
full, and my attempts to write an ICMP flood preprocessor have so far
floundered - due to my lack of coding ability, it has to be said - but
in conjunction with a couple of other tools it does help me keep things
running smoothly.

Graeme




More information about the Snort-users mailing list