[Snort-users] Snort on span port
This is a discussion on [Snort-users] Snort on span port within the Snort forums, part of the System Security and Security Related category; This is a multipart message in MIME format. --=_alternative 0054814285256EE7_= Content-Type: text/plain; charset="us-ascii" We ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-09-2004
|
|||
|
|||
[Snort-users] Snort on span port
This is a multipart message in MIME format.
--=_alternative 0054814285256EE7_= Content-Type: text/plain; charset="us-ascii" We are deploying SourceFire (snort network sensor) appliances to capture traffic on a VLAN that spans 4 Cisco Catalyst 5500 switches (Cat OS), connected on a trunk. I looked at the data, connecting to the span port of each of the switches; these span ports are supposed to be well configured by competent engineers and are in use for a long time for network sniffing through NAI distributed network sniffer. I am connecting the snort appliance in parallel with NAI sniffer using a 100 MB/s hub. I see less than 0.2 MB/s traffic on 3 of these switches while I see over 2 MB/s sustained traffic when connected to the span port of one of the switches. So i decided to connect the IDS to the span port of this switch. I initially thought that I would see the same traffic on all 4 switches as they are trunked and after this exercise, I realized the entire traffic of the VLAN can be sniffed only on one of the switch's span port. A network engineers clarified that ONLY the root bridge on the VLAN would see all the traffic and the root bridge could change after a re-election when the current root goes down. The question is how do I ensure that I always capture the entire VLAN traffic, irrespective of which switch is the "root bridge". Should I have IDS sensors on the span port of all the switches in this kind of scenario? Is there any better solution? I keep hearing of Cisco terminology VACL to configure the port on which IDS sits? Is it better than using span port ?? I would appreciate if some one shares their experience dealing with this kind of situation. Thanks, Ilango --=_alternative 0054814285256EE7_= Content-Type: text/html; charset="us-ascii" <br><font size=2 face="sans-serif">We are deploying SourceFire (snort network sensor) appliances to capture traffic on a VLAN that spans 4 Cisco Catalyst 5500 switches (Cat OS), connected on a trunk. I looked at the data, connecting to the span port of each of the switches; these span ports are supposed to be well configured by competent engineers and are in use for a long time for network sniffing through NAI distributed network sniffer. I am connecting the snort appliance in parallel with NAI sniffer using a 100 MB/s hub. I see less than 0.2 MB/s traffic on 3 of these switches while I see over 2 MB/s sustained traffic when connected to the span port of one of the switches. So i decided to connect the IDS to the span port of this switch. I initially thought that I would see the same traffic on all 4 switches as they are trunked and after this exercise, I realized the entire traffic of the VLAN can be sniffed only on one of the switch's span port. A network engineers clarifie d that ONLY the root bridge on the VLAN would see all the traffic and the root bridge could change after a re-election when the current root goes down. </font> <br> <br><font size=2 face="sans-serif">The question is how do I ensure that I always capture the entire VLAN traffic, irrespective of which switch is the "root bridge". Should I have IDS sensors on the span port of all the switches in this kind of scenario? Is there any better solution? I keep hearing of Cisco terminology VACL to configure the port on which IDS sits? Is it better than using span port ?? I would appreciate if some one shares their experience dealing with this kind of situation.</font> <br> <br><font size=2 face="sans-serif">Thanks,</font> <br><font size=2 face="sans-serif">Ilango </font> --=_alternative 0054814285256EE7_=-- ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
