[Snort-users] Port Aggregator Tap alternatives for snort sensor

Stephen Reese rsreese at ...11827...
Tue Mar 4 11:45:11 EST 2008


Very cool that will work.

I will post on the Cisco group to determine if the spanning will work
in the manner I'm trying to. Thanks for everyone's help.

On Tue, Mar 4, 2008 at 9:22 AM, Seth <sethsec at ...11827...> wrote:
> >  Also besides the different networks the sensor
> >  is still going to combine everything but I guess filters could be used
> >  to help dissect the traffic?
>
> Sounds like an excellent case for the use of BPF filters and multiple
> instances of snort.
>
> instance 1 - snort <params> net 10.0.0./8
> instance 2 - snort <params> not net 10.0.0./8
>
> This way you will make SURE that anything the first instance doesn't
> grab the second one will.
>
> > I can use the same sensor but then all of the traffic would also be
> >  piled into one database and/or alerts.
>
> Regarding the database, you can use the sensor_id (not sure if that is
> exactly right) parameter of the output database plug-in to identify
> which instance of snort logged each alert in BASE or whatever you are
> using.
>
> Regards,
>
> Seth
>
>
> On Mon, Mar 3, 2008 at 8:51 PM, Stephen Reese <rsreese at ...11827...> wrote:
> > I can use the same sensor but then all of the traffic would also be
> >  piled into one database and/or alerts. Is there a way to separate or
> >  tag the traffic so snort or anything else for that matter can discern
> >  the traffic?
> >
> >  Also the taps will be on different networks.
> >
> >  ---internet----> TAP ---router---> TAP ----network cloud---
> >
> >  So internet and router reside on ports 1 and 2 of the 2950 switch.
> >  Sensor port 3. Could the output of the router go to port say 4 and out
> >  5 to the network and the sensor also monitor those two assuming they
> >  should be on their own VLAN so there isn't any interference or will
> >  there be problem with have multiple networks on the same switch due to
> >  broadcasts and whatnot. Also besides the different networks the sensor
> >  is still going to combine everything but I guess filters could be used
> >  to help dissect the traffic?
> >
> >  Thanks for the help.
> >
> >
> >
> >  On Mon, Mar 3, 2008 at 7:39 PM, Andrew Willy <andrewwilly at ...11827...> wrote:
> >  > Is the same sensor to analyze the multiple taps? You may define multiple
> >  > source interfaces or VLANs in the same monitoring session.
> >  >
> >  > monitor session 1 source interface fa0/1,fa0/2,fa03
> >  >
> >  > Andrew
> >  >
> >  >
> >  >
> >  >
> >  >  On Mon, Mar 3, 2008 at 4:55 PM, Stephen Reese <rsreese at ...11827...> wrote:
> >  > >
> >  > >
> >  > >
> >  > > I've been using a Cisco 2950 for single tap I have setup and it has
> >  > > worked fine to date.
> >  > >
> >  > > !
> >  > > interface FastEthernet0/1
> >  > >  switchport access vlan 100
> >  > >  duplex full
> >  > > !
> >  > > interface FastEthernet0/2
> >  > >  switchport access vlan 100
> >  > >  duplex full
> >  > > !
> >  > > !
> >  > > monitor session 1 source interface Fa0/1
> >  > > monitor session 1 destination interface Fa0/3
> >  > >
> >  > > Port one is the internet source, port two is to my routing device and
> >  > > three is to my sensor.
> >  > >
> >  > > I would like to setup some more taps without having to run more
> >  > > switches. An alternative is to purchase a tap still (around $300) or
> >  > > making one from scratch
> >  > > (http://www.altsec.info/passive-network-tap.html) but I would prefer
> >  > > not to have to deal with bonding interfaces. I was considering another
> >  > > 2950 switch (still cost around $250 used) but I figure there has got
> >  > > to be a better solution? A port aggregator seems to be out of the
> >  > > question since they seem to run around $1000...
> >  > >
> >  > > Any recommendations? Thanks.
> >  > >
> >  > > -------------------------------------------------------------------------
> >  > > This SF.net email is sponsored by: Microsoft
> >  > > Defy all challenges. Microsoft(R) Visual Studio 2008.
> >  > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> >  > > _______________________________________________
> >  > > Snort-users mailing list
> >  > > Snort-users at lists.sourceforge.net
> >  > > Go to this URL to change user options or unsubscribe:
> >  > > https://lists.sourceforge.net/lists/listinfo/snort-users
> >  > > Snort-users list archive:
> >  > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >  > >
> >  >
> >  >
> >
> >  -------------------------------------------------------------------------
> >  This SF.net email is sponsored by: Microsoft
> >  Defy all challenges. Microsoft(R) Visual Studio 2008.
> >  http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> >  _______________________________________________
> >  Snort-users mailing list
> >  Snort-users at lists.sourceforge.net
> >  Go to this URL to change user options or unsubscribe:
> >  https://lists.sourceforge.net/lists/listinfo/snort-users
> >  Snort-users list archive:
> >  http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>




More information about the Snort-users mailing list