[unisog] Network taps for IDS

John Kristoff jtk at depaul.edu
Thu Nov 8 21:38:49 GMT 2001


Greg Francis wrote:
> I'm setting up a permanent Snort IDS and I would like to tap into various
> parts of the network that lie between the routers and switches. Currently, I
> mirror the inbound switch port to dump the traffic to the IDS box. However,
> since we can only mirror a port to one other port, we'd have to disable the
> mirror periodically to do diagnostics and sometimes it doesn't get switched
> back. It also adds overhead to the switch that I would rather avoid.

If you have a shared hub, you can put the mirrored port to it, then on
it attach the Snort IDS and any other monitoring device to the hub. 
There are shared hubs for 10 and 100 Mb/s ethernet.  No shared gig
though, so...

A tap such as something from one of these two folks (can't vouch for
either):

http://www.netoptics.com/
http://www.toplayer.com/

Something I've wanted to try:

If you could force a switch into flood mode, you could also put the
mirror port onto a separate switch.  This would be a great feature. 
Essentially you want to disable bridge address lookup for traffic coming
in on a specific port.  It would be nice if that was a knob, but I guess
if you could manually configure the address table with bogus addresses
that might work too.  Just make sure your mirror port on the production
switch is set to not receive any traffic (as a precaution).

John



More information about the unisog mailing list