[Snort-users] Switched Snort.
jbgreer at ...1052...
Tue Jan 2 14:30:33 EST 2001
In our switched network I gave up on trying to see everything and just
concentrated on the connection to the world. We have one 100M fiber line
from the University backbone coming in to our main switch. I mirrored this
port to another port on the switch, which allows me to see all inbound and
outbound traffic. I am unable to see most of the communication between
inbuilding computers, so am blind to internal threats using this tool. I
set up the first ethernet card (eth0 in Linux) with a private address and
configured snort to sniff on that port. The second ethernet card (eth1) I
connect back to the switch and use as the public port with a public address.
Hourly I rotate the text logs with a cron job and copy (via scp) the snort
output to a server running Apache, run snortsnarf to generate web pages on
that hour's data and display it on the web server. Once a day I combine all
the previous day's snort logs together and rerun snortsnarf on it to make a
single page for all days before today.
I have had very good luck capturing portscans and attempted exploits, and
have a general policy to contact the offending IP address's ISP. I rarely
see the same perpetrator twice, as ISP's are in general quite active in
shutting down accounts.
Let me know if you'd like any more information.
From: Scott A. McIntyre [mailto:scott at ...1050...]
Sent: Tuesday, January 02, 2001 1:35 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Switched Snort.
I'm curious what sorts of solutions people have come up with in
implementing snort in a large scale switched environment. Between
vlan's and port mirroring, or even insertion of a hub, there seem to be
a few potential options, all of which have drawbacks...but anything that
people are doing and they're happy with, I'd like to hear about.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
More information about the Snort-users