[Snort-users] Switched network woes..

Abe L. Getchell abegetchell at ...530...
Mon Jan 14 19:53:02 EST 2002


Hi Joe!

Throw extra NICs in the sensor(s).  As long as you're not moving more
data than the box can handle across multiple interfaces without dropping
packets, you'll have a cheap, simple solution.  If you have a box with
multiple procs, and running your sensor on an OS that supports binding
processes to specific procs, you could run multiple instances of Snort
each monitoring an interface having it's own dedicated processor.  This
would help to avoid context-switching overhead, etc.  Just a thought,
YMMV.

FWIW, you'll most likely see the 450T code, within the next three
months, be able to do many-to-one and one-to-many mirrors.  I guess
there were some cool things that came out of Nortel buying Alteon Web
Systems after all. =)

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell at ...530...


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Joe Pampel
> Sent: Monday, January 14, 2002 10:16 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Switched network woes..
> 
> 
> Hi all..
> 
> It was the best of times, it was, well, also a pain in the 
> rear. No more hubs for my little corner of the universe and 
> now that the firewall is clustered I am presented with an 
> irritating IDS situation:
> 
> Each switch only allows one port to be mirrored - eg: one 
> monitor port and one port where you watch all traffic. 
> (Nortel 450-24T's fwiw) The switches that the firewalls go 
> into are cascaded, (one FW nic into each sw) on both the 
> inside and outside.. so it would appear I need 4 sensors just 
> to watch the firewalls now.. is there a shortcut for this? 
> (short of plugging back into hubs!) it would be nice if there 
> was some way to sniff off the VIP of the FW cluster.. 
> although I don't see how that would work... I can get it down 
> to 3 easily by just monitoring the edge router ethernet port 
> and massaging the snort config to ignore all the stuff that's 
> not ours.. how can I get back to 2 sensors?
> 
> Any brilliant shortcuts for this? I don't see any way around 
> 3-4 sensors but just thougth I'd ask.. If the cluster expands 
> I won't be able to fully monitor it.. and I've gotten really 
> used to monitoring it. 
> 
> Thx,
> 
> - Joe
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 





More information about the Snort-users mailing list