Network Security: Detailed info on Re: [Snort-users] Port Aggregator Tap alternatives for snort sensor

Subject:	Re: [Snort-users] Port Aggregator Tap alternatives for snort sensor
Date:	Tue, 4 Mar 2008 09:22:47 -0500

 Also besides the different networks the sensor
 is still going to combine everything but I guess filters could be used
 to help dissect the traffic?


Sounds like an excellent case for the use of BPF filters and multiple
instances of snort.

instance 1 - snort <params> net 10.0.0./8
instance 2 - snort <params> not net 10.0.0./8

This way you will make SURE that anything the first instance doesn't
grab the second one will.

I can use the same sensor but then all of the traffic would also be
 piled into one database and/or alerts.


Regarding the database, you can use the sensor_id (not sure if that is
exactly right) parameter of the output database plug-in to identify
which instance of snort logged each alert in BASE or whatever you are
using.

Regards,

Seth

On Mon, Mar 3, 2008 at 8:51 PM, Stephen Reese <rsreese@gmail.com> wrote:

I can use the same sensor but then all of the traffic would also be
 piled into one database and/or alerts. Is there a way to separate or
 tag the traffic so snort or anything else for that matter can discern
 the traffic?

 Also the taps will be on different networks.

 ---internet----> TAP ---router---> TAP ----network cloud---

 So internet and router reside on ports 1 and 2 of the 2950 switch.
 Sensor port 3. Could the output of the router go to port say 4 and out
 5 to the network and the sensor also monitor those two assuming they
 should be on their own VLAN so there isn't any interference or will
 there be problem with have multiple networks on the same switch due to
 broadcasts and whatnot. Also besides the different networks the sensor
 is still going to combine everything but I guess filters could be used
 to help dissect the traffic?

 Thanks for the help.



 On Mon, Mar 3, 2008 at 7:39 PM, Andrew Willy <andrewwilly@gmail.com> wrote:
 > Is the same sensor to analyze the multiple taps? You may define multiple
 > source interfaces or VLANs in the same monitoring session.
 >
 > monitor session 1 source interface fa0/1,fa0/2,fa03
 >
 > Andrew
 >
 >
 >
 >
 >  On Mon, Mar 3, 2008 at 4:55 PM, Stephen Reese <rsreese@gmail.com> wrote:
 > >
 > >
 > >
 > > I've been using a Cisco 2950 for single tap I have setup and it has
 > > worked fine to date.
 > >
 > > !
 > > interface FastEthernet0/1
 > >  switchport access vlan 100
 > >  duplex full
 > > !
 > > interface FastEthernet0/2
 > >  switchport access vlan 100
 > >  duplex full
 > > !
 > > !
 > > monitor session 1 source interface Fa0/1
 > > monitor session 1 destination interface Fa0/3
 > >
 > > Port one is the internet source, port two is to my routing device and
 > > three is to my sensor.
 > >
 > > I would like to setup some more taps without having to run more
 > > switches. An alternative is to purchase a tap still (around $300) or
 > > making one from scratch
 > > (http://www.altsec.info/passive-network-tap.html) but I would prefer
 > > not to have to deal with bonding interfaces. I was considering another
 > > 2950 switch (still cost around $250 used) but I figure there has got
 > > to be a better solution? A port aggregator seems to be out of the
 > > question since they seem to run around $1000...
 > >
 > > Any recommendations? Thanks.
 > >
 > > -------------------------------------------------------------------------
 > > This SF.net email is sponsored by: Microsoft
 > > Defy all challenges. Microsoft(R) Visual Studio 2008.
 > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
 > > _______________________________________________
 > > Snort-users mailing list
 > > Snort-users@lists.sourceforge.net
 > > Go to this URL to change user options or unsubscribe:
 > > https://lists.sourceforge.net/lists/listinfo/snort-users
 > > Snort-users list archive:
 > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
 > >
 >
 >

 -------------------------------------------------------------------------
 This SF.net email is sponsored by: Microsoft
 Defy all challenges. Microsoft(R) Visual Studio 2008.
 http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
 _______________________________________________
 Snort-users mailing list
 Snort-users@lists.sourceforge.net
 Go to this URL to change user options or unsubscribe:
 https://lists.sourceforge.net/lists/listinfo/snort-users
 Snort-users list archive:
 http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] Port Aggregator Tap alternatives for snort sensor, Stephen Reese Re: [Snort-users] Port Aggregator Tap alternatives for snort sensor, Andrew Willy Re: [Snort-users] Port Aggregator Tap alternatives for snort sensor, Stephen Reese Re: [Snort-users] Port Aggregator Tap alternatives for snort sensor, Seth <= Re: [Snort-users] Port Aggregator Tap alternatives for snort sensor, Stephen Reese

Previous by Date:	Re: [Snort-users] Port Aggregator Tap alternatives for snort sensor, Stephen Reese
Next by Date:	Re: [Snort-users] Port Aggregator Tap alternatives for snort sensor, Stephen Reese
Previous by Thread:	Re: [Snort-users] Port Aggregator Tap alternatives for snort sensor, Stephen Reese
Next by Thread:	Re: [Snort-users] Port Aggregator Tap alternatives for snort sensor, Stephen Reese
Indexes:	[Date] [Thread] [Top] [All Lists]