[Snort-users] Sniffing the Gateways
than at ...3657...
Thu Nov 29 08:43:02 EST 2001
Look for "---"
From: jamesh [mailto:jamesh at ...3784...]
Sent: Wednesday, November 28, 2001 4:07 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Sniffing the Gateways
We have 2 gateways, and I am sniffing traffic off both the Ethernet
interfaces (via the switch). I was hoping to see all the traffic for our
statewide network this way, but I am not. After a bit of thinking I realized
this probably will not show me the several serial interfaces that exist on
these gateways, as these route directly out the WAN connections (ie, serial
and WAN connections are on the same box and route port to port to get to the
internet) and not thru the Ethernet interfaces. Is this correct ?
---Your assumption is correct, the router has no need to go out the Ethernet
interface and therefore you will not see any traffic. Cisco does not have
any provisions for sniffing (like SPAN) out to another interface since that
would defeat the purpose of routing.
If so how would I go about seeing everything ? As luck would have it, the
secondary gateway is our Cisco 72XX, where multiple T's to the DSLAM's for
DSL exist. BGP tends to send these connections out this gateway and only
once an a while does BGP decide to use the primary gateway for DSL; in this
case Snort will see this. As we have
400+ DSL subscribers; I am interested to see if any have DoS tools
(and other bad things).
Generally I just sniff all our servers, this works great. Once a day I would
like to watch all traffic to get the big picture with a special interest in
what is going on with DSL. Any ideas ?
---The best suggestions I can offer (other may have better ones) are these:
---1) Taps--I don't know a whole lot about them and how they would integrate
with Snort (will snort sniff a local serial interface?) You could either
tap the internet connection and see all in/outbound traffic or tap all your
serial lines individually. You may be able to find some combination of
hardware that will get you what you want.
---2) Depending upon many factors (ip schemes, how good the bandwidth
between your gateways is, how much load you can spare on them, the number of
sunspots on a given Wednesday, how lucky you feel, and so on....) you may be
able to play with the weighting and static routes on your serial interfaces
so that they think that the other gateway has the best route, then once
they hit the BGP table it can then decide if it should really go out there
or go back to the other gateway. Granted, it totally "bassackwards" and
will add to your load, but if you can spare it, it will do the job, and then
some (in some cases you'll see the traffic twice on Snort).
---The real point is that you've got to either catch the traffic on the way
in or on the way out. Unless you're on a cat6500 you're not going to be
able to what you want without forcing the traffic out of the router/gateway
and then back into it.
Hope that gives you some ideas.
"They can't all be good, you have to expect that once in a while."
More information about the Snort-users