From: Rob Shein (shotenstarpower.net)
Date: Tue Mar 18 2003 - 21:36:22 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Um...

If I understand correctly, you're concerned about your aggregate traffic
being greater than 100 Mbps, and therefore you will have problems with
setting up a snort-based IDS on your switch. It also seems that you're
planning on forcing the sum of your network traffic to pass through your
snort IDS, to slow down the network traffic. This is because you're
concerned that the IDS will not be able to keep up, as it's not very robust
hardware.

I don't recommend that you do any of this...even if I could come up with an
elegant way to transparently force all traffic on your switch to route
through one box in its travels, the impact on your network would be
horrendous, and the load on the linux box from actually handling the
packets (as well as analyzing them) would be worse than if it were merely
set up as a standard IDS. Remember, the usability of the network comes
first, the IDS comes second; not the other way around. Networks are not
installed so that the IDS will have something to do :)

What you can do, given the hardware you have and the options laid out for
you, I would recommend limiting the scope of your IDS monitoring to
inbound/outbound internet traffic, or perhaps to a select broadcast domain.
Either way, you end up dealing with a lesser amount of traffic, which
solves your aggregation problem as well as the challenge of not overloading
your IDS hardware.

> -----Original Message-----
> From: SB CH [mailto:chulmin2hotmail.com]
> Sent: Monday, March 17, 2003 7:37 PM
> To: focus-idssecurityfocus.com
> Subject: about mirroring port
>
>
>
> hello, all.
>
> I would like to setup ids(like snort) at mirroring port in
> cisco catalyst
> switch.
> but all of the network traffic is over 100M, and my linux
> server which
> installs snort is not so good hardware.
>
> So I think that when I setup snort at mirroring port, all
> traffic should
> via linux server so the network speed would be slow
>
> Question.
>
> 1. when I setup the mirroring port,all traffic(for example,
> port2 traffic)
> would transfer like this or just copy the traffic mirroring port too?
>
> (1) client --> mirroring port1 --> port 2
> (2) client --> port 2
> --> mirroring port (copy too)
>
> 2. Is there any problem when I set snort at mirroring port if
> the traffic
> is so high(over 100~200M)?
>
> 3. do you know any commands to setup mirroring port at
> catalyst 400x(catos
> based) switch?
>
>
> Thanks in advance.
>
>
> _________________________________________________________________
> Çà¿îÀÇ ÁÖÀΰøÀÌ À̹ø¿£ ³ªÀϲ¨¾ß, ÁøÂ¥·ç... ÀÎÅÍ³Ý º¹±Ç
> http://www.msn.co.kr/money/interlotto/
>
>
> -----------------------------------------------------------
> ALERT: Exploiting Web Applications- A Step-by-Step Attack
> Analysis Learn why 70% of today's successful hacks involve
> Web Application attacks such as: SQL Injection, XSS, Cookie
> Manipulation and Parameter
> Manipulation.
> http://www.spidynamics.com/mktg/webappsecurity71
>

-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]