[Snort-users] switched environment

M. Yu myu at ...9262...
Thu May 22 08:26:02 EDT 2003

Hello all,

I'm new to the list and I am planning to deploy a NIDS on our network and am
currently testing snort.  My network is pretty flat where we have a core
switch (3Com 3C16985B SuperStack3) connecting servers (DNS, mail, etc.) and
1 Cisco router to the Internet.  Additionally, we have a cable modem
termination system (CMTS) acting as a bridge between the cable modems and
the switched lan.  Although the switch has a roving analysis port where I
can put a snort, I doubt that putting it on 1 100 full-duplex port will
enable it to monitor 12 other 100 full duplex ports.

I came up with this solution however -- I can put 2 NICs on the snort
machine and configure the switch such that 1 NIC can monitor the Cisco port
and the other NIC can monitor the CMTS port thereby giving me 99% NIDS
coverage.  I can monitor attacks from the Internet to any IP on my lan, and
attacks from my cable modems to anywhere BUT I cannot monitor attacks from
my servers going to other servers on my lan (which is an acceptable
trade-off for a clunky solution).

Question 1: how can I prevent snort from reporting a (for example) NIMDA
attack twice, if the attack is from the Internet to a cable modem or
vice-versa since the attack will be seen on both the Cisco port and the CMTS
port which snort monitors

Question 2: is there a better way to put a NIDS on a switched environment
like mine without resorting to putting a hub inline (tapping into the
physical UTP cables)

Thanks in advance for any help/info!

M. Yu

More information about the Snort-users mailing list