|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: about mirroring port
From: Dejan Markovic (dejanmarkovic
hotmail.com)
Date: Mon Mar 24 2003 - 09:21:53 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Guys,
I'd like to comment on Cisco 29xx series switches, as I have been using a
number of them with the SPAN feature enabled and multiple spanned ports
monitored by multiple instances of snort on a single Compaq box with very
good results, even though the traffic is very high most of the time. This
was tested during a Slammer attack recently where we had 7,000+ requests in
under 3 minutes just from a single source, and must say it works for me. And
yes, you need a NIC for each monitored switch and a separate NIC just to
connect to the box.
Note: some of the newer Cisco 29xx series models need to have their IOS
updated to support SPAN, while some of the older models like the 2924xl lose
the SPAN functionality when the IOS is upgraded beyond a certain rev. number
(don't know if this has been fixed in later revisions).
Hope this helps.
Regards,
Dan
----- Original Message -----
From: "Joe Magee" <listsjoemagee.com>
To: <focus-idssecurityfocus.com>
Cc: "nate" <focus-idsaphroland.org>
Sent: Thursday, March 20, 2003 2:36 AM
Subject: Re: about mirroring port
> >also keep in mind port mirroring on a switch for the most part isn't
> >perfect. I've read many places over time that if the switch's CPU
> >gets heavily loaded it will randomly drop packets on the mirrored
> >ports. Higher end switches may work better. Also when talking to
> >cisco a couple years ago, I was trying to do something similar,
>
> In practice, some of the higher end switches yielded the same results.
>
> >was trying to mirror ports that were uplinked to other switches,
> >not directly connected to systems, and the switch(2900xl for me
> >at the time) does not support mirroring in such a way(which was
> >prooven to me by the lack of traffic on the mirrored ports),
> >according to the cisco rep I talked to. not sure if higher end
> >switches are differnet. I have a summit 48 here but haven't tried
> >port mirroring on it.
>
> For low bandwidth applications using a standard L2 switches "SPAN" port
feature may work. For multiple simultaneous copies of traffic take a look at
the Top Layer IDS Balancer. It's a very mature product. I used it in my
previous jobs for doing both balancing, making multiple simultaneous copies
of traffic, and splicing off applications.
>
> For more on the topic check out:
http://www.joemagee.com/filez/Why%20not%20use%20a%20switch.pdf
>
> >> 1. when I setup the mirroring port,all traffic(for example, port2
traffic)
> >> would transfer like this or just copy the traffic mirroring port too?
> >>
> >> (1) client --> mirroring port1 --> port 2
> >> (2) client --> port 2
> >> --> mirroring port (copy too)
> >
> >I think it usually just copies the traffic on the switch itself.
> >
> >>
> >> 2. Is there any problem when I set snort at mirroring port if the
traffic
> >> is so high(over 100~200M)?
> >
> >depends on the traffic. my last employer I had 2 snort sensors on
> >2 T1s averaging ~5% utilization. And running a full blown untuned snort
> >got me more then 40,000 events per hour. Spending dozens of hours
> >analyzing and tuning got it down to ~30 events/hour.
> >
> >
> >> 3. do you know any commands to setup mirroring port at catalyst
400x(catos
> >> based) switch?
> >
> >not off the top of my head, been a while since I tried port mirroring
> >on a switch.
> >
> >nate
>
> Joe Magee
> http://www.joemagee.com
>
> -----------------------------------------------------------
> ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
> Learn why 70% of today's successful hacks involve Web Application
> attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter
> Manipulation.
> http://www.spidynamics.com/mktg/webappsecurity71
>
>
-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]