Re: [Packetfence-users] SNORT question

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Sallee, Stephen (Jake) a écrit :
> Has anybody deployed PF with SNORT in a large routed environment?
> 
>  
> 
> We have about 40+ buildings on campus and as I understand it we would 
> need to enable a RSPAN vlan on each of the switches and direct the 
> traffic to the PF box.  But it seems to me that this would cause A LOT 
> of overhead.  I would really like to know if SNORT is viable in a larger 
> environment.
You have to take a step back here and think about what you want to do.
Snort is an IDS and it triggers alerts based on the traffic it sees.

In a perfect world, Snort would control the traffic on all your network.
All being the internal traffic and the external traffic.

In reality, this is NOT feasible: cause you would never see the traffic between 
2 devices plugged in the same switch.
The maximum you could do is be to plug a Snort in every switch then you'd see 
the internal traffic between the switches. Or RSPAN the traffic from every 
switch to Snort. But as you said, this is not realistic.

I don't know what is your goal with Snort but if you want to detect intrusions 
(which is the function of Snort) like Viruses, Worms or even P2P, I'd recommend 
to simply RSPAN the outband traffic only (just before it is NATed so you see the 
internal IPs).
In most of the cases, if a computer is infected with Viruses or Worms, the first 
thing they do is to communicate with the external network.
When a guy does P2P, he/she generally downloads his/her stuff from the external 
network. Snort can be used for it.

If you want to monitor the internal traffic, you could RSPAN some traffic from 
key locations/switches so you can see a lot of the internal traffic.
But I think you can't expect more with Snort.

This is my personal view, I may be wrong.

> Could it be done that SNORT could be run on a small box ON the local 
> VLAN that SNORT is supposed to be monitoring and then send violation 
> notifications to the PF server for the PF server to do with as it 
> pleases?  This seems like it would be a good way to alleviate overhead 
> on the uplinks.
this can be done. It all depends on how many VLANs you want to monitor. In a big 
routed network if you want to monitor many VLANs, you would have to use many 
Snort boxes. Or RSPAN trunks ports.

Regis Balzard
rba...@in...  ::  +1.514.447.4918 (x110)  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and PacketFence 
(www.packetfence.org)

> Thoughts and comments are welcome.
> 
> 
> Jake Sallee
> Network Engineer
> University of Mary Hardin-Baylor
> 900 College St.
> Belton Texas, 76513
> Fone:     254-295-4658
> Phax:     254-295-4221