[Snort-users] Snort on switched network

niceshorts at ...131... niceshorts at ...131...
Tue Oct 9 13:55:36 EDT 2001

Erek Adams hat geschrieben:
>On Tue, 9 Oct 2001, Ashley Thomas wrote:
>> It is a bad idea to run Snort (or any IDS for that matter) on a switched
>> network, am i right ?
>> Are there any work arounds ?
>No, it's not a 'bad thing', you just may not get what you expect.  Switches
>manitain a list of MAC addresses and what port they are connected to on the
>switch.  They only send traffic destined for that MAC down that port.  In
>other words, you usually can't sniff all the traffic.
>Workarounds?  Well, if your switch has a port designed for monitoring, or you
>can configure spanning (some Ciscos) or port mirroring you'll see all of the
>traffic.  If that's not possible, then drop about $400 on a Shomiti tap.  You
>can place that in front of the switch and get the same results as

    One thing I'm trying is to install snort on each sensitive
    server as a host-based NIDS[0]. This makes the switch largely
    irrelevent because the interesting traffic is to and from the
    particular host.

    The key is to severely restrict the rulesets and active
    preprocessors and perform post-processing elsewhere.

    On some systems, snort will take up 50% of CPU time. I've
    found restarting snort nightly clears this up, but otherwise
    there have been no serious performance issues.

[0] - In the manner of RealSecure Server Sensor's network engine.

More information about the Snort-users mailing list