[Snort-users] snort on inter-switch trunk (ISL, 802.1q) mirrors?

Richard Johnson rdump at ...1195...
Wed Jan 24 21:49:43 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 16:19 -0700 on 1/23/01, Dave Ryan wrote:
> if you want to monitor traffic coming accross an isl onto a core switch (im
> making alot of assumptions here but its flexible enough ;) you could simply
> configure the core switch to span all traffic to a span port, or as the
> case may be with high loads to split the traffic accross multiple span
> ports for subsets of vlans, hanging a snort agent off each one (tha also
> depends on the available port density of your core switch fabric but hey im
> making assumptions).


That's pretty much what I'm planning now.  If one sensor can't keep up with
all the VLANs, then balancing the load between sensors, with each one only
listening to a subset of the VLANs passing by on the wire, would be the
fallback.

Discarding the VLAN tags is probably not a good idea, as it can lead to false
positives regarding replay attacks or spoofing if the same IP packet goes by
twice (on different VLANs but we don't see that any more) with different MAC
addresses.


> Also I dont understand the connection between the DS3 and the ISL, unless
> we are talking about an ISL from a boundry router to your core switch,
> either way the above suggestion should work.


The router serving the DS3 (and OC3 eventually) speaks to other routers
through switches across 802.1q trunk ports.  Transit routing makes the
trunking attractive on the GigE link between the border router and the
switch.


Richard

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOm+UOJgmccFXZvyVEQJysQCguGRSbhX4p3w2or3zKEqL7LAduBgAoN0l
kkLEOyHlyap+cvCTs+rp2wmT
=YR6i
-----END PGP SIGNATURE-----






More information about the Snort-users mailing list