-
September 2nd, 2007, 04:04 AM
#1
Member
setting up an IDS..
I was thinking on setting up snort on one of my boxes, but I have a question since in a switch lan I'll be only capturing data in and out of my box only, what's the right way of setting up snort so it captures data in and out of my three servers, without having to put a hub in the middle.........
thanks in advance.
-
September 2nd, 2007, 02:33 PM
#2
It depends on the switch you are using, if it's a managed switch look into port spanning/mirroring
There are two rules for success in life:
Rule 1: Don't tell people everything you know.
-
September 3rd, 2007, 01:06 AM
#3
Most dont support that unless they are really high end. You can always use ARP Cache poisioning.
-
September 3rd, 2007, 05:10 AM
#4
Member
Originally Posted by oofki
Most dont support that unless they are really high end. You can always use ARP Cache poisioning.
when I usually want to capture data from a computer in my network that's what I do....but I dont want to leave it running for too long, I may DOS my target machine, because the machine doing the routing or (MITM ATTACK) is just a desktop and not capable of handling big amounts of data.........correct me if I'm wrong
thanks
-
September 4th, 2007, 02:52 PM
#5
The Wolfman doesn't know if this will suit your cool cat requirements, but perhaps putting a network tap in your DMZ to capture all traffic coming in and out your network?
For example:
Internet
|
TAP/Snort
|
Router
|
Server 1 Server 2 Server 3
-
September 5th, 2007, 11:52 AM
#6
If your goal is to see traffic in/out of your network, you can use some proxy/vpn/firewall/ids all in one like IPCOP. It has snort built right into it and it runs on pretty low hardware. http://ipcop.org Keep in mind, if you do it this way, you're only going to be inspecting traffic to/from the internet. Not ALL traffic on the LAN.
If you want to capture traffic on your LAN, you'll have to use either the HUB or a port spanning switch. Either way, either physically or logically, you have to put some device between them to capture the traffic betwen them. It's just the rules of networking. Arp spoofing would work for lower end switches, but the higher end swiches have protection against this. I would not use this approach long term or in production for the reason you've already mentioned.
Be careful which IDS you use and how much resources you have to spare. I just built a snort 2.7.0.1 box to monitor a 100MB connection with Dual Core AMD 64bit processors, 2gigs of DDR2 PC5300 (667mhz) RAM, Hardened (high secure worksation security policy, disabled all unused services, hardened whatever left over services I could) XP Pro 64bit 2003, mysql, IIS6 (w/SSL).
Snort is using 1.6gigs of memory when starting up and levels off to around 1.5gigs. The commit charge of the box is around 2gigs... so I'm using almost ALL physical memory available and falling back on the pagefile. Not ideal for an IDS... especially since I only have one 7200RPM SATAII HD in there for OS, pagefile, programs, sql database and IIS. I should have two HDs or even three. I'll have to bump the memory even more and look at into getting a second HD to increase read/write performance of the database and IIS. However, at this time... it's not dropping packets and it's in a testing environment.
I just finally moved away from the 2.4.x line. The 2.4.x line didn't use nearly as much memory...
Last edited by phishphreek; September 5th, 2007 at 06:38 PM.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
September 5th, 2007, 06:45 PM
#7
Taps are the way to go, if you can afford em.
I've also tried dumb things like using a box as a router and snort on that box, created a bridge from a linux box and run snort on it.
Hub are cheap and easy, but Taps are great if your budget will allow it.
Port mirroring is nice, some switch will actually dump off pcap info that you can run thru snort as well. I don't have access to a Catalyst to check on it, but Nortel Passports have the option for sure.
Last edited by caveman8fb; September 5th, 2007 at 06:53 PM.
-
September 5th, 2007, 07:00 PM
#8
Cisco switches (CatOS and IOS) have this option too. It's called a SPAN (Switched Port ANalyzer) port.
http://www.cisco.com/warp/public/473/41.html
Oliver's Law:
Experience is something you don't get until just after you need it.
Similar Threads
-
By nightcat in forum The Security Tutorials Forum
Replies: 9
Last Post: May 28th, 2005, 02:47 AM
-
By gore in forum Other Tutorials Forum
Replies: 0
Last Post: October 11th, 2004, 07:07 PM
-
By allenb1963 in forum *nix Security Discussions
Replies: 1
Last Post: July 30th, 2003, 05:09 AM
-
By JohnHACK in forum AntiOnline's General Chit Chat
Replies: 2
Last Post: June 7th, 2003, 04:09 AM
-
By JohnHACK in forum Miscellaneous Security Discussions
Replies: 8
Last Post: June 6th, 2003, 05:01 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|