[Snort-users] Port Aggregator Tap alternatives for snort sensor

Seth sethsec at ...11827...
Tue Mar 4 09:22:47 EST 2008


>  Also besides the different networks the sensor
>  is still going to combine everything but I guess filters could be used
>  to help dissect the traffic?

Sounds like an excellent case for the use of BPF filters and multiple
instances of snort.

instance 1 - snort <params> net 10.0.0./8
instance 2 - snort <params> not net 10.0.0./8

This way you will make SURE that anything the first instance doesn't
grab the second one will.

> I can use the same sensor but then all of the traffic would also be
>  piled into one database and/or alerts.

Regarding the database, you can use the sensor_id (not sure if that is
exactly right) parameter of the output database plug-in to identify
which instance of snort logged each alert in BASE or whatever you are
using.

Regards,

Seth

On Mon, Mar 3, 2008 at 8:51 PM, Stephen Reese <rsreese at ...11827...> wrote:
> I can use the same sensor but then all of the traffic would also be
>  piled into one database and/or alerts. Is there a way to separate or
>  tag the traffic so snort or anything else for that matter can discern
>  the traffic?
>
>  Also the taps will be on different networks.
>
>  ---internet----> TAP ---router---> TAP ----network cloud---
>
>  So internet and router reside on ports 1 and 2 of the 2950 switch.
>  Sensor port 3. Could the output of the router go to port say 4 and out
>  5 to the network and the sensor also monitor those two assuming they
>  should be on their own VLAN so there isn't any interference or will
>  there be problem with have multiple networks on the same switch due to
>  broadcasts and whatnot. Also besides the different networks the sensor
>  is still going to combine everything but I guess filters could be used
>  to help dissect the traffic?
>
>  Thanks for the help.
>
>
>
>  On Mon, Mar 3, 2008 at 7:39 PM, Andrew Willy <andrewwilly at ...11827...> wrote:
>  > Is the same sensor to analyze the multiple taps? You may define multiple
>  > source interfaces or VLANs in the same monitoring session.
>  >
>  > monitor session 1 source interface fa0/1,fa0/2,fa03
>  >
>  > Andrew
>  >
>  >
>  >
>  >
>  >  On Mon, Mar 3, 2008 at 4:55 PM, Stephen Reese <rsreese at ...11827...> wrote:
>  > >
>  > >
>  > >
>  > > I've been using a Cisco 2950 for single tap I have setup and it has
>  > > worked fine to date.
>  > >
>  > > !
>  > > interface FastEthernet0/1
>  > >  switchport access vlan 100
>  > >  duplex full
>  > > !
>  > > interface FastEthernet0/2
>  > >  switchport access vlan 100
>  > >  duplex full
>  > > !
>  > > !
>  > > monitor session 1 source interface Fa0/1
>  > > monitor session 1 destination interface Fa0/3
>  > >
>  > > Port one is the internet source, port two is to my routing device and
>  > > three is to my sensor.
>  > >
>  > > I would like to setup some more taps without having to run more
>  > > switches. An alternative is to purchase a tap still (around $300) or
>  > > making one from scratch
>  > > (http://www.altsec.info/passive-network-tap.html) but I would prefer
>  > > not to have to deal with bonding interfaces. I was considering another
>  > > 2950 switch (still cost around $250 used) but I figure there has got
>  > > to be a better solution? A port aggregator seems to be out of the
>  > > question since they seem to run around $1000...
>  > >
>  > > Any recommendations? Thanks.
>  > >
>  > > -------------------------------------------------------------------------
>  > > This SF.net email is sponsored by: Microsoft
>  > > Defy all challenges. Microsoft(R) Visual Studio 2008.
>  > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>  > > _______________________________________________
>  > > Snort-users mailing list
>  > > Snort-users at lists.sourceforge.net
>  > > Go to this URL to change user options or unsubscribe:
>  > > https://lists.sourceforge.net/lists/listinfo/snort-users
>  > > Snort-users list archive:
>  > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  > >
>  >
>  >
>
>  -------------------------------------------------------------------------
>  This SF.net email is sponsored by: Microsoft
>  Defy all challenges. Microsoft(R) Visual Studio 2008.
>  http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>  _______________________________________________
>  Snort-users mailing list
>  Snort-users at lists.sourceforge.net
>  Go to this URL to change user options or unsubscribe:
>  https://lists.sourceforge.net/lists/listinfo/snort-users
>  Snort-users list archive:
>  http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list