[Snort-users] Using snort on a switched network

Blue Knight blueknight at ...4479...
Sun Jan 6 19:50:02 EST 2002


There are a few ways of doing IDS (not only snort) on a switched network
(and I have set up at least a 1000+ of such systems all over the world (non
snort unfortunately)).

#1 - Most switches have a mode that allow you to mirror the data of certain
ports to one port (this capability is not avaialble on the cheap consumer
switches, but even there there is a way to do it.. see #2 or #3). On a Cisco
it is called Port spanning but the general term is port mirroing. Basically
what you are telling the switch is that you want to send all the data from
the ports mirrored to another port when the port mirrored receives traffic.
This usually works accept that most lower/middle end switches only allow one
port to receive the mirrored data. So if you need other things listening to
the data or ability to use a sniffer you need to connect a small hub at that

#2 Shamiti Tap - There is a company that makes cheap devices that work as a
tap on the wire the incoming cable plugs in to it, the outgoing cable plugs
in to it and the ids cable plugs in to it. This device is only for listening
(perfect for snort) for some IDS that send resets you would not be able to
do it via this device. The beuty of it is that this device fails in an open
state so you never loose your primary connection just the ability to monitor
the network.

It works by plugging in the wire from the router device (in home
environment, cable modem or DSL Modem) in to the In port of the tap, then
you plug in the out cable to the switch, and the IDS to the monitoring port.
It is a very nice device and pretty cheap and has good redundancy but not as
cheap as #3.

#3 Hub - Buy a small hub (4 port - I like to use Netgear since they are
pretty nice), connect the cable from router/cable modem/dsl modem to the
hub, connect the crossover cable to the hub and the other point to the
switch. Then connect the IDs to the hub as well. Since it is a shared medium
environment you will be able to monitor this. This is the cheapest way and
actually the worst way of doing it since collisions are introduced and the
failure of a hub as well. But I figured I will throw it in just in case.

Yury German

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Linux Boy
Sent: Sunday, January 06, 2002 1:22 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Using snort on a switched network

Hello Everyone,

      One quick question.  How does snort do NID on a switched network?  Is
it less productive on a switched network?  The reason is is that I am on a
switched network and would like to use snort.  However, my whole network is
behind our firewall and many people suggested not to run snort on the same
machine as the firewall.  So if I run snort on another machine outside the
firewall, but on the same network as the firewall (also switched), will
snort detect port scans, etc. directed towards my firewall and machines
behind it?  If so, how does it work?  Thanks in advance.


Chat with friends online, try MSN Messenger: http://messenger.msn.com

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list