Re: Snort Help - Network IDS

From: Brian Whitehead (brian_at_whiteheadconsulting.com)
Date: 04/15/04

  • Next message: Matt Mercer: "Re: Snort Help - Network IDS"
    Date: Wed, 14 Apr 2004 20:02:27 -0500 (CDT)
    To: <jhaith@genesissys.com>
    
    

    > Recently I posted a question on different types of monitoring and ids
    > setups. I have decided to go with snort and have been using it on a
    > smaller network with no problem. However now, I need to move it to a
    > production network which will consist of around a 100 servers all linked
    > through 3com switches and going out through a watchgaurd firewall. I'm
    > looking for different ways to implement this without setting up another
    > single point of failure device which our firewall is. I'm not confident
    > enough yet to risk something like that. I haven't found much information
    > on packet sniffing when it comes to multiple entry points, found some
    > info on wiretap, etc. but I've always received such great help on here I
    > thought I would ask before I decided on something. Would really
    > appreciate any help, I'm in a heck of a bind right now. Thanks.
    >
    >
    > firewall
    > |
    > -3comswitch-servers
    > -3comswitch-servers
    > -3comswitch-servers
    >
    > ids?
    >
    >
    > Jason Haith

    Jason,

    If you don't a single point of failure, such as using it inline between
    the firewall and switch, then you will need to setup port monitoring on
    your switches. Some switches cannot do this across stacked switches, so
    check the documentation on your switches. Also, if you are using multiple
    VLAN's you will not be able to use a single box, unless it has multiple
    NIC's to monitor more than one VLAN. Basically, the Snort box will be
    connected directly to one of the switches and the switch will be
    configured to mirror all traffic to the port that it's plugged into.
    Usually this can be configured to monitor either ingress, egress or
    traffic both ways.

    One thing to note is that the port that the NIDS is connected to cannot
    talk on the network. It can only listen. So, you will either need to
    access it physically at the console or put an additional NIC in the box to
    access it remotely. Again, with the stacked switches this will depend on
    the capabilities of the switch. Some can be managed and actually know
    that the ports on the other switches exist, while others will simple know
    that the MAC address for several machines exist through a single port. In
    the latter case, you should still be able to monitor all of the traffic in
    and out of the single port, but you won't be able to monitor traffic
    destined for the same switch if it's not directly connected. Just make
    sure that wherever you connect the NIDS that it can see all of the
    machines whose traffic you want to monitor.

    I'm sure you might be able to do some confounded setup like mirroring all
    traffic on each switch to a single port and then connect that port to the
    next switch. This would mean you would have two connections between each
    port. One that is simply mirroring the traffic and the other that is the
    actual uplink. I'm not sure this kind of setup would be a good idea
    though. You could also put multiple NIC's in the box and connect one to
    each switch. The one downfall I can see to this is that you will see some
    traffic more than once as it heads through the switches to get in and out
    of the firewall.

    Hope this helps. Sorry if I confuse you. The new Snort 2.1 book is due
    out this month if you need a good reference.
    http://www.syngress.com/catalog/sg_main.cfm?pid=2950

    ----------
    |firewall|
    ----------
        |
    ---------- --------
    |switch |====|IDSBOX|
    ---------- --------
    |
    ----------
    |switch |
    ----------
    |
    ----------
    | switch |
    ----------

    --
    Brian W
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    

  • Next message: Matt Mercer: "Re: Snort Help - Network IDS"

    Relevant Pages

    • Sniffer port in 3550 switches
      ... I want to set up a port to monitor ALL the traffic on my network. ... unmanaged switches connected via crossover cables to various switches. ...
      (comp.dcom.sys.cisco)
    • RE: Network scanning
      ... > be sourced on one port.. ... > plenty of cisco switches that do this anyhow, ... > Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich ... > informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. ...
      (Security-Basics)
    • Re: Port trunking / link aggregation problem
      ... A port trunk always sends packets from a particular source ... A single link is designated for flooding broadcasts and packets ... As a result typical switches allow you to do load balancing based ...
      (comp.dcom.lans.ethernet)
    • Help with the logic of my structure?
      ... I am using snmp to walk a couple of tables on some switches to output a list ... multiple ports and or the same port but with different hosts. ... I also tried replacing the "foreach" with a "while - ... push @pport, "$host-$_"; ...
      (perl.beginners)
    • Re: Duplex/Speed Hardcoding
      ... Have a colleague who insists every port on every switch be hardcoded to ... general app - that they now only hardcode the duplex settings? ... A long while ago we had a pair of non-Cisco switches and if you ...
      (comp.dcom.sys.cisco)