[Snort-users] how to use snort in a switched environment

Carlos Felix snort at ...8664...
Wed May 14 11:57:06 EDT 2003


Ooops – one more thing –

You will need a 2nd NIC on your system if you intend to make your system
the snort device. The reason behind this is that once you issue the “port
monitor” command to the port on the switch, Cisco IOS disables the port as
anything other than to listen on – so you will not be able to send data
from your system outbound on that port.
So far as the comments on this about the performance of the switch – well
they are well founded but I make the huge assumption that you are not
going to try to monitor anything higher than a T3 because if you where
then you would have a lot more IS staff & network hardware.

As an FYI for the readers of this list – I use the Cisco 2924-XL to
monitor a client’s two DS-3’s with no problem whatsoever from it. The load
on those DS-3’s is about 60% at any given time so I am monitoring close to
52mbit/sec on a P4 2Ghz, w/ 2 GB of RAM (DDR) and 80GB ATA100 HDDs
(hardware mirror), 3C905C NICs. The mysql DB logs close to 52MB of
alerts/day – I have all the default rules turned on (even the commented
ones – yes I know that this is foolish but that is the way they want it
because of political issues from their auditing firm). Granted – the only
thing that I monitor with this particular system is traffic that is at the
internet level of their connection (coming to/from their firewalls) so I
monitor no LAN activity on it.

Carlos


Carlos Felix said:
> Jeremy,
>
> you have an excellent switch for monitoring your network with snort (it’s
> the same one I use in several sites). All you have to do is connect a
> system to the console of your switch and configure the port that the Snort
> system is connected into to SPAN what ever ports you are wanting to
> monitor. Example lets say that your snort system is connected to port 24
> and you want to monitor ports 1, 2, 3 and 5.
> Go to an enable prompt, then enter the configuration mode, then issue the
> following commands:
>
> Interface f24
> Port monitor f1-3 , f5
> Exit
> Exit
>
>
> That is it. All the traffic from those ports will be replicated to port
> 24. You can monitor as many/few ports as you like.
>
> Carlos
>
>
> Jeremy Rodriguez said:
>> From snort DOCS:
>> Q: I'm on a switched network, can I still use Snort?
>>
>> A: Being able to sniff on a switched network depends on what type of
>>    switch is being used.  If the switch can mirror traffic, then set
>>    the switch to mirror all traffic to the snort machine's port.
>>
>> My question is that I have a Cisco WS-C2924-XL and I was wondering if
>> anyone
>> has used snort and these switches successfully.
>>
>>
>> The only other way I have found is:
>>
>> INET
>>      |
>> ROUTER
>>      |
>>  HUB --------- SNORT
>>      |
>> SWITCH
>>      |
>> COMPANY
>>
>>
>>
>>
>> -------------------------------------------------------
>> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
>> The only event dedicated to issues related to Linux enterprise solutions
>> www.enterpriselinuxforum.com
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
> -------------------------------------------------------
> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> The only event dedicated to issues related to Linux enterprise solutions
> www.enterpriselinuxforum.com
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list