[Snort-users] switched environment
myu at ...9262...
Thu May 22 08:26:02 EDT 2003
I'm new to the list and I am planning to deploy a NIDS on our network and am
currently testing snort. My network is pretty flat where we have a core
switch (3Com 3C16985B SuperStack3) connecting servers (DNS, mail, etc.) and
1 Cisco router to the Internet. Additionally, we have a cable modem
termination system (CMTS) acting as a bridge between the cable modems and
the switched lan. Although the switch has a roving analysis port where I
can put a snort, I doubt that putting it on 1 100 full-duplex port will
enable it to monitor 12 other 100 full duplex ports.
I came up with this solution however -- I can put 2 NICs on the snort
machine and configure the switch such that 1 NIC can monitor the Cisco port
and the other NIC can monitor the CMTS port thereby giving me 99% NIDS
coverage. I can monitor attacks from the Internet to any IP on my lan, and
attacks from my cable modems to anywhere BUT I cannot monitor attacks from
my servers going to other servers on my lan (which is an acceptable
trade-off for a clunky solution).
Question 1: how can I prevent snort from reporting a (for example) NIMDA
attack twice, if the attack is from the Internet to a cable modem or
vice-versa since the attack will be seen on both the Cisco port and the CMTS
port which snort monitors
Question 2: is there a better way to put a NIDS on a switched environment
like mine without resorting to putting a hub inline (tapping into the
physical UTP cables)
Thanks in advance for any help/info!
More information about the Snort-users