[Snort-users] heavily switched networks

twig les twigles at ...131...
Tue Dec 23 18:56:01 EST 2003


--- Stewart Larsen <slarsen42 at ...1457...> wrote:
> I've looked into this ad can't seem to find an answer I like.
> Perhaps
> I'm asking the wrong question.
> 
> Suppose I have a network consisting of a gateway which goes
> into a
> firewall.  The connection from the firewall goes into a switch
> which
> leads to another level of switches. some of these machines are
> servers,
> some are workstations. None of the switches have port
> mirroring (SPAN
> ports).
> 
> I understand how to set us IDS at the gateway with a stealth
> interface.
> My question becomes, how do I effectively monitor the network.
>  If I put
> a tap before each switch, I will not be able to monitor
> traffic between
> 2 machines on the other side of the switch, correct?
> 
> do I have to run  a snort sensor on each server? On each
> workstation?
> Ideally, I'd like to have one sensor for each segment without
> having to
> basically throw away existing hardware and get SPAN switches.
> 
> -- 

You can use one or two boxes with multiple NICs sniffing,
running a different snort process for each one.  I'm doing that
and it works quite nicely if you name everything distinctly,
like "outbound.north.snort.sh" for the start script.

=====
-----------------------------------------------------------
Only fools have all the answers.   
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree




More information about the Snort-users mailing list