[Snort-users] heavily switched networks

Stewart Larsen slarsen42 at ...1457...
Wed Dec 24 07:17:01 EST 2003


right, but where would you tap. 

Let's assume that I have the gateway and firewall set up going into a 16
port switch. We'll call this switch switch:0. Each port on switch:0 goes
to another 16 port switch.  We'll call these switch:1 through switch:16.

I now have a nicely divided network with 16 segments of 16 computers
each. That allows me to have 256 computers on my network.

How do I effectively monitor traffic within each segment without a
switch that supports SPAN?  Do I need to sniff on 256 different wires?
or am I missing some fundamental insight here?

Stewart

On Tue, 2003-12-23 at 21:55, twig les wrote:
> --- Stewart Larsen <slarsen42 at ...1457...> wrote:
> > I've looked into this ad can't seem to find an answer I like.
> > Perhaps
> > I'm asking the wrong question.
> > 
> > Suppose I have a network consisting of a gateway which goes
> > into a
> > firewall.  The connection from the firewall goes into a switch
> > which
> > leads to another level of switches. some of these machines are
> > servers,
> > some are workstations. None of the switches have port
> > mirroring (SPAN
> > ports).
> > 
> > I understand how to set us IDS at the gateway with a stealth
> > interface.
> > My question becomes, how do I effectively monitor the network.
> >  If I put
> > a tap before each switch, I will not be able to monitor
> > traffic between
> > 2 machines on the other side of the switch, correct?
> > 
> > do I have to run  a snort sensor on each server? On each
> > workstation?
> > Ideally, I'd like to have one sensor for each segment without
> > having to
> > basically throw away existing hardware and get SPAN switches.
> > 
> > -- 
> 
> You can use one or two boxes with multiple NICs sniffing,
> running a different snort process for each one.  I'm doing that
> and it works quite nicely if you name everything distinctly,
> like "outbound.north.snort.sh" for the start script.
> 
> =====
> -----------------------------------------------------------
> Only fools have all the answers.   
> -----------------------------------------------------------
> 
> __________________________________
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail AddressGuard
> http://antispam.yahoo.com/whatsnewfree
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- 
Stewart Larsen





More information about the Snort-users mailing list