Switches, Hubs, and Modems의 주제 Re: Using SNORT w/4108gl switches

Using SNORT w/4108gl switches

Mark Landin — Thu, 07 Jul 2005 10:44:31 GMT

We are wanting to set up a snort box (www.snort.org) to help track down an infected machine in our network. Snort, of course, requires that it be able to see all traffic on the network.

So how can I do that when I have 4108gl switches in my switch core? The 4108gl has a limitation w/regard to setting up a "monitor" port .. it can only do "ingress monitoring".

Is anyone successfully using snort in an environment with 4108gl switches?

Re: Using SNORT w/4108gl switches

Jeff Brownell — Wed, 13 Jul 2005 09:37:52 GMT

Mark,
not sure off the top. i would think that the snort forums would be better equipted to answer this question. have you tried there?
-Jeff

Re: Using SNORT w/4108gl switches

Ralph Bean_2 — Wed, 13 Jul 2005 10:57:12 GMT

Hi Mark -

If you can monitor all of the traffic entering the 4108gl, that should be sufficient, shouldn't it?

Ralph

Re: Using SNORT w/4108gl switches

Frank Benke_1 — Fri, 29 Jul 2005 03:23:05 GMT

Hello Mark,

know exactly what you are talking about. ProCurve Switches could do the egress port monitoring only for a long time. lately ingress port monitoring shows up in the current irmware versions for some series.

I tried to give it a quick shot on the website but you really need to figure out the release notes of the current firmware. this feature change is pushed out consequently.

on the other hand we have only one monitor port were the traffic is aggregated. so what you might do is configure more than one ports to monitor and then aggregate that on the monitor port and get therefore more knowledge of the questionable device.

if you like to squeze in the questionable box you need the uplinks to be configured, which leave the 4100. than you have a chance to gather ip and mac information you can look up in th switches address caches and there find the referring ports.

for dedicated hints I need some more knowledge about your network configuration. e.g. address spaces and routing.

Re: Using SNORT w/4108gl switches

Kevin Richter_1 — Mon, 01 Aug 2005 12:04:19 GMT

As a previous post specified, there were a handful of ProCurve switches which were initially only capable of monitoring ingress traffic. The ability to monitor bi-directional traffic (both ingress and egress) has been added to most of our switches in recent firmware revisions.

The 4100 series remains an exception. The ProCurve 4100 series switches are only capable of monitoring ingress only traffic and it will remain this way.

If bi-directional monitoring is the key to getting your SNORT capture to succeed in tracking down an infected machine, there is a workaround which may meet your needs. The details of the workaround have been previously posted to the ITRC at http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=317326 titled "HP Procurve 2650 - mirroring - does it work?" One of the postings by Ardon (Dec 20, 2003 10:35:43 GMT) contains an attachment. The details for setting up the workaround are in that attachment.

This is quite admittedly a rather inelegant workaround. However, it is quite effective. I would never recommend this configuration for long term bi-directional monitoring. But for a quick method to capture data and isolate your infected client, this should do the trick nicely.

Re: Using SNORT w/4108gl switches

Mark Landin — Mon, 01 Aug 2005 12:32:38 GMT

We are also considering the 5300xl. If we have an environment with a 5300 and a 4108, can I plug a SNORT listener into the 5300 and see all the traffic traversing the 5300 *and* the 4100 successfully?

Re: Using SNORT w/4108gl switches

Kevin Richter_1 — Mon, 01 Aug 2005 13:47:11 GMT

The ProCurve 5300 series switches support bi-directional port montoring (both ingress and egress traffic.) It would be a good example of a better or "more elegant" long term solution.

Re: Using SNORT w/4108gl switches

Kevin Richter_1 — Mon, 01 Aug 2005 13:56:15 GMT

I missed the second part of your question in my previous reply. The 5300 would be able to monitor all traffic (bi-directional) on the link to-from the 4100. It cannot directly monitor ports on a different switch (eg. the 4100). With switches, you configure monitoring to copy traffic to-from ports on that switch to a designated port where the monitor or capture device (SNORT) is connected. The 5300 would be able to monitor any or all ports in the 5300 (including the link to-from the 4100) but cannot monitor the 4100's ports directly.