Re: [Snort-users] Port Aggregator Tap alternatives for snort sensor
This is a discussion on Re: [Snort-users] Port Aggregator Tap alternatives for snort sensor within the Snort forums, part of the System Security and Security Related category; > Also besides the different networks the sensor > is still going to combine everything but I guess filters could ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-05-2008
|
|||
|
|||
Re: [Snort-users] Port Aggregator Tap alternatives for snort sensor
> Also besides the different networks the sensor
> is still going to combine everything but I guess filters could be used > to help dissect the traffic? Sounds like an excellent case for the use of BPF filters and multiple instances of snort. instance 1 - snort <params> net 10.0.0./8 instance 2 - snort <params> not net 10.0.0./8 This way you will make SURE that anything the first instance doesn't grab the second one will. > I can use the same sensor but then all of the traffic would also be > piled into one database and/or alerts. Regarding the database, you can use the sensor_id (not sure if that is exactly right) parameter of the output database plug-in to identify which instance of snort logged each alert in BASE or whatever you are using. Regards, Seth On Mon, Mar 3, 2008 at 8:51 PM, Stephen Reese <rsreese@gmail.com> wrote: > I can use the same sensor but then all of the traffic would also be > piled into one database and/or alerts. Is there a way to separate or > tag the traffic so snort or anything else for that matter can discern > the traffic? > > Also the taps will be on different networks. > > ---internet----> TAP ---router---> TAP ----network cloud--- > > So internet and router reside on ports 1 and 2 of the 2950 switch. > Sensor port 3. Could the output of the router go to port say 4 and out > 5 to the network and the sensor also monitor those two assuming they > should be on their own VLAN so there isn't any interference or will > there be problem with have multiple networks on the same switch due to > broadcasts and whatnot. Also besides the different networks the sensor > is still going to combine everything but I guess filters could be used > to help dissect the traffic? > > Thanks for the help. > > > > On Mon, Mar 3, 2008 at 7:39 PM, Andrew Willy <andrewwilly@gmail.com> wrote: > > Is the same sensor to analyze the multiple taps? You may define multiple > > source interfaces or VLANs in the same monitoring session. > > > > monitor session 1 source interface fa0/1,fa0/2,fa03 > > > > Andrew > > > > > > > > > > On Mon, Mar 3, 2008 at 4:55 PM, Stephen Reese <rsreese@gmail.com> wrote: > > > > > > > > > > > > I've been using a Cisco 2950 for single tap I have setup and it has > > > worked fine to date. > > > > > > ! > > > interface FastEthernet0/1 > > > switchport access vlan 100 > > > duplex full > > > ! > > > interface FastEthernet0/2 > > > switchport access vlan 100 > > > duplex full > > > ! > > > ! > > > monitor session 1 source interface Fa0/1 > > > monitor session 1 destination interface Fa0/3 > > > > > > Port one is the internet source, port two is to my routing device and > > > three is to my sensor. > > > > > > I would like to setup some more taps without having to run more > > > switches. An alternative is to purchase a tap still (around $300) or > > > making one from scratch > > > (http://www.altsec.info/passive-network-tap.html) but I would prefer > > > not to have to deal with bonding interfaces. I was considering another > > > 2950 switch (still cost around $250 used) but I figure there has got > > > to be a better solution? A port aggregator seems to be out of the > > > question since they seem to run around $1000... > > > > > > Any recommendations? Thanks. > > > > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by: Microsoft > > > Defy all challenges. Microsoft(R) Visual Studio 2008. > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > _______________________________________________ > > > Snort-users mailing list > > > Snort-users@lists.sourceforge.net > > > Go to this URL to change user options or unsubscribe: > > > https://lists.sourceforge.net/lists/...fo/snort-users > > > Snort-users list archive: > > > http://www.geocrawler.com/redir-sf.p...st=snort-users > > > > > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
