setting up an IDS..
Results 1 to 8 of 8

Thread: setting up an IDS..

  1. #1
    Join Date
    Oct 2006

    setting up an IDS..

    I was thinking on setting up snort on one of my boxes, but I have a question since in a switch lan I'll be only capturing data in and out of my box only, what's the right way of setting up snort so it captures data in and out of my three servers, without having to put a hub in the middle.........

    thanks in advance.

  2. #2
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    It depends on the switch you are using, if it's a managed switch look into port spanning/mirroring
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  3. #3
    Senior Member
    Join Date
    Oct 2003
    Most dont support that unless they are really high end. You can always use ARP Cache poisioning.

  4. #4
    Join Date
    Oct 2006
    Quote Originally Posted by oofki
    Most dont support that unless they are really high end. You can always use ARP Cache poisioning.
    when I usually want to capture data from a computer in my network that's what I do....but I dont want to leave it running for too long, I may DOS my target machine, because the machine doing the routing or (MITM ATTACK) is just a desktop and not capable of handling big amounts of data.........correct me if I'm wrong


  5. #5
    Senior Member wolfman1984's Avatar
    Join Date
    Aug 2007
    The Wolfman doesn't know if this will suit your cool cat requirements, but perhaps putting a network tap in your DMZ to capture all traffic coming in and out your network?

    For example:

    Server 1 Server 2 Server 3
    The Wolfman's Homepage:
    Do you dig the Wolfman?? Sign his Ghoulbook or listen to him Howl

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    If your goal is to see traffic in/out of your network, you can use some proxy/vpn/firewall/ids all in one like IPCOP. It has snort built right into it and it runs on pretty low hardware. Keep in mind, if you do it this way, you're only going to be inspecting traffic to/from the internet. Not ALL traffic on the LAN.

    If you want to capture traffic on your LAN, you'll have to use either the HUB or a port spanning switch. Either way, either physically or logically, you have to put some device between them to capture the traffic betwen them. It's just the rules of networking. Arp spoofing would work for lower end switches, but the higher end swiches have protection against this. I would not use this approach long term or in production for the reason you've already mentioned.

    Be careful which IDS you use and how much resources you have to spare. I just built a snort box to monitor a 100MB connection with Dual Core AMD 64bit processors, 2gigs of DDR2 PC5300 (667mhz) RAM, Hardened (high secure worksation security policy, disabled all unused services, hardened whatever left over services I could) XP Pro 64bit 2003, mysql, IIS6 (w/SSL).

    Snort is using 1.6gigs of memory when starting up and levels off to around 1.5gigs. The commit charge of the box is around 2gigs... so I'm using almost ALL physical memory available and falling back on the pagefile. Not ideal for an IDS... especially since I only have one 7200RPM SATAII HD in there for OS, pagefile, programs, sql database and IIS. I should have two HDs or even three. I'll have to bump the memory even more and look at into getting a second HD to increase read/write performance of the database and IIS. However, at this time... it's not dropping packets and it's in a testing environment.

    I just finally moved away from the 2.4.x line. The 2.4.x line didn't use nearly as much memory...
    Last edited by phishphreek; September 5th, 2007 at 06:38 PM.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Taps are the way to go, if you can afford em.

    I've also tried dumb things like using a box as a router and snort on that box, created a bridge from a linux box and run snort on it.

    Hub are cheap and easy, but Taps are great if your budget will allow it.

    Port mirroring is nice, some switch will actually dump off pcap info that you can run thru snort as well. I don't have access to a Catalyst to check on it, but Nortel Passports have the option for sure.
    Last edited by caveman8fb; September 5th, 2007 at 06:53 PM.

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    Cisco switches (CatOS and IOS) have this option too. It's called a SPAN (Switched Port ANalyzer) port.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Similar Threads

  1. Apache, PHP, MySQL with basic security settings.
    By nightcat in forum The Security Tutorials Forum
    Replies: 9
    Last Post: May 28th, 2005, 02:47 AM
  2. Setting up an FTP server on SUSE Linux 9.1 Professional
    By gore in forum Other Tutorials Forum
    Replies: 0
    Last Post: October 11th, 2004, 07:07 PM
  3. Linux trash bin
    By allenb1963 in forum *nix Security Discussions
    Replies: 1
    Last Post: July 30th, 2003, 05:09 AM
  4. Award BIOS Setting...
    By JohnHACK in forum AntiOnline's General Chit Chat
    Replies: 2
    Last Post: June 7th, 2003, 04:09 AM
  5. Award BIOS Setting...
    By JohnHACK in forum Miscellaneous Security Discussions
    Replies: 8
    Last Post: June 6th, 2003, 05:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts