|
Home > Archive > Snort > September 2004 > [Snort-users] Switched hub
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Snort-users] Switched hub
|
|
| patrick.marquetecken@pandora.be 2004-09-15, 9:56 am |
| Hi,
In about 1 month we are going to switch from a DMZ hub to a switch networ=
k. Wat is the best way for following the network traffic, as normal its n=
ot possible to view other ports with a switch network.
TIA
Patrick
-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Alex Butcher, ISC/ISYS 2004-09-15, 9:56 am |
|
--On 15 September 2004 07:17 +0000 patrick.marquetecken@pandora.be wrote:
> In about 1 month we are going to switch from a DMZ hub to a switch
> network. Wat is the best way for following the network traffic, as normal
> its not possible to view other ports with a switch network.
Actually, it is with plenty of switches (especially cheap, unmanaged
switches), if you them with ARP announcements so that they degrade into hub
mode. But I digress, as that isn't really a sensible solution for your
problem. ;-)
What you need to do is to configure a SPAN or mirror port on your switches
and connect your NIDS sensor(s) to those, or place taps between switches
and connect your NIDS sensor(s) to those. Which approach you take depends
on what you want to see.
> TIA
> Patrick
Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Rich Adamson 2004-09-15, 9:56 am |
|
> In about 1 month we are going to switch from a DMZ hub to a switch
> network. Wat is the best way for following the network traffic, as
> normal its not possible to view other ports with a switch network.
That all depends upon exactly whose switch you purchase. Some switches
can do port mirroring very well while others are very poor at it (or
non-existent).
Most of the HP switches (as an example) can do port mirroring, however
some only support mirroring of one-side (transmit or receive) of a
mirrored port, while other HP switches support complete VLAN mirroring
(including the default VLAN). Some cisco switches allow a single port
mirror while other models allow multiple port mirrors.
If your company is serious about security monitoring, the port mirroring
capability of your newly purchased boxes 'might' be a driving factor
as to exactly which switch is purchased.
-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Lyndon Tiu 2004-09-15, 9:56 am |
| On September 15, 2004 12:17 am, patrick.marquetecken@pandora.be wrote:
> Hi,
>
> In about 1 month we are going to switch from a DMZ hub to a switch network.
> Wat is the best way for following the network traffic, as normal its not
> possible to view other ports with a switch network.
>
Use a feature called port mirroring. Available in certain medium to high end
switches.
--
Lyndon Tiu.
-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Jose Maria Lopez 2004-09-15, 5:45 pm |
| El mi=C3=A9, 15 de 09 de 2004 a las 09:17, patrick.marquetecken@pandora.b=
e
escribi=C3=B3:
> Hi,
>=20
> In about 1 month we are going to switch from a DMZ hub to a switch netw=
ork. Wat is the best way for following the network traffic, as normal its=
not possible to view other ports with a switch network.
>=20
> TIA
> Patrick
You should have a mirror port (or span port) that aggregates all
the network traffic.
--=20
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPA=C3=91A
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Patrick Marquetecken 2004-09-22, 10:25 pm |
| thank you all for the answers they were very usefull.
Patrick
Op 15-sep-04 om 09:17 heeft patrick.marquetecken@pandora.be het
volgende geschreven:
> Hi,
>
> In about 1 month we are going to switch from a DMZ hub to a switch
> network. Wat is the best way for following the network traffic, as
> normal its not possible to view other ports with a switch network.
>
> TIA
> Patrick
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
> Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
> Camcorder. More prizes in the weekly Lunch Hour Challenge.
> Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
> ________________________________________
_______
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists...nfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf....ist=snort-users
>
>
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
|
|
|
|
|