Sign in with
Sign up | Sign in
Your question
Solved

Please help me figure out SNORT machine placement

Last response: in Networking
Share
November 28, 2013 7:34:09 PM

Hello,

My home network consists of a cable modem, connected to a PIX-501 firewall. I have the firewall connected to a 24-port switch, which in turn I use to connect all my clients. The firewall still has 3 unused Ethernet ports.

I have a Snort machine; I'm trying to figure out where best place to plug it in. If I connect to either a port on the PIX or to the workgroup switch, I will only get broadcast traffic, and traffic destined for the SNORT machine.

I have a document (Google: Snort 2.9.3 and Snort Report Ubuntu 12.04) which shows that I should put a switch with mirrored port in between the broadband, and firewall. I don't want to use a full-fledged switch so I tried placing a hub between these two appliances. But the PIX was never able to get an internet connection; that didn't surprise me.

Since I have that hub (and I've verified it's a true 8-port hub) - can anybody suggest how I can engineer this setup to capture all traffic coming in?

I am also considering purchasing an ASA 5505 to replace the PIX. Would this give me more options?

Awaiting your advice - thank you!!
-bk6662
November 29, 2013 4:51:40 AM

You do not want to put any form of HUB between your internet and your firewall. You will end up in half duplex and kill your performance.

You can buy actual taps designed to do this but they cable a little different than mirror ports do.

Most ASA cannot do mirror, some on certain software level if they contain a switch model support the span command but you cannot span the native ports on the device.

Does your current 24 port switch support mirroring/span. You could monitor the data before the firewall which should be almost as good as doing it after
m
0
l
November 29, 2013 10:35:21 AM

Hi Bill,

Thanks a bunch for your response. I agree that a hub would kill performance, although I would still like to make it work (as a test) if possible. But once I cabled it inline, the F/W was no longer able to establish a connection. I assume it outright won't work; that the PIX requires a PtP link.

As far as I know taps are expensive - no justification for me to spend that kind of money for my little home network.

Thanks for the info on ASA features. I'm looking at the low-end model, so I doubt it would provide any additional capabilities.

The switch I currently use is an unmanaged Cisco SWR-24; it doesn't support spanning / port mirroring. I do have a few 2950s floating around that do support it. But I'm trying to keep the noise level down; impossible with those boxes. Do you know if there's a fanless switch available that does support span /mirrored ports? If so, that's the route I'll go.

Thanks again!
Brian
m
0
l
Related resources

Best solution

November 29, 2013 11:40:18 AM

There are a couple of vendors that make fanless 24 managed switches. I used a HP one but I don't know if it did port mirroring it did vlans tags and multicast so I would hope it could be mirrors. I think it was a 1810

If you do some searching you will find instructions on how to make a home made tap with just cable. Like the commercial tap it has 2 output rather than 1 like you do on a mirror port. This is because unlike a mirror port the transmit and receive are not combined. What you are doing is hooking the pairs 1 at a time (or to 2 different ports) to the receive leads of you computer ethernet port. Since you do not hook up the transmit pair from your computer it cannot contaminate the signal.

I have only done this at 10/100. It is possible at 1g but you must use 2 groups of 2 pair and I never bother to try.

Since you are in effect stealing power off the connection it will affect the distance the cable can do but that should not be a issue for you but this is part of the reason commercial taps cost. Somehow they are doing this but not affecting the power.
Share
November 30, 2013 12:04:42 PM

I followed your advice, and found an article describing how to make a homemade tap similar to what you've described above...thanks! I haven't used it to tap into my main internet connection (between the cable modem and firewall) yet, b/c it seems a little "messy". But I verified that it does work.

Concerning the "span / mirrored" port solution. I just purchased a 24-port fanless managed switch on eBay. Will I be able to connect it inline, to accomplish what I'm trying to do? Specifically can I connect the cable from the cable modem to this switch...then connect a cable from this switch to my PIX firewall, and will the PIX then be able to provide internet access to my internal clients? My experience with the HUB was that it would not work. Will it work with the switch? If so then I'll be able to mirror to one of those ports, and have the IDS monitoring that port.

Thanks again!
Brian
m
0
l
November 30, 2013 12:40:50 PM

I figured you would replace your existing 24 port switch. Kinda a waste to use a 24 port switch for 2 ports.

I suspect the reason you had trouble with a hub is the duplex stuff.

I can't see anyway the modem or the firewall would even be able to detect a switch. It is a pretty simple device it just keep lists of mac addresses and forwards data to those. I have done this many times and the only time I ever had a problem was when the duplex was hard set on one of the devices. When it was running auto it all worked ok.
m
0
l
November 30, 2013 9:17:41 PM

Good point about the 24-port switch being a waste. Guess I should have searched around for something smaller, but figured I would have a hard time finding one that allowed me to manage, and set up for port spanning. Thanks again for all your assistance!
m
0
l
December 5, 2013 7:38:24 AM

bill001g said:
I figured you would replace your existing 24 port switch. Kinda a waste to use a 24 port switch for 2 ports.

I suspect the reason you had trouble with a hub is the duplex stuff.

I can't see anyway the modem or the firewall would even be able to detect a switch. It is a pretty simple device it just keep lists of mac addresses and forwards data to those. I have done this many times and the only time I ever had a problem was when the duplex was hard set on one of the devices. When it was running auto it all worked ok.



Wanted to let you know I still hit a brick wall. Not matter what I use - hub, unmanaged switch, managed switch - my PIX is unable to get an IP address from the ISP if I am going through the switch. I did some more searching online and found a plausible explanation. According to the poster, ISPs use the MAC address to control the number of devices connected to their equipment. In my case I would have two MACs conneted: the switch, and then the PIX. So the PIX is losing out and not getting an IP from the ISP.

I am going to keep searching for a solution. Please let me know if you have any additional ideas that I can try.

Thanks!
-bk
m
0
l
December 5, 2013 9:16:53 AM

The switch itself should not have a mac. It might have one for its management IP. The only way I could see it have any problems at all would be if the switch did DHCP and claimed the IP before the Pix would.

A switch is very very simple in how it works.

It listens to ports and when it sees a packet it will take the source mac address from the packet and put it in its internal table saying mac xx:xx:xx:xx is on port yy. It them looks up the destination mac address in this same table. If it finds a entry it forwards the packet to the corresponding port. If not it floods it to all ports. Now in theory the destination mac address was on one of those ports. When it responds to the packet the switch will now see that this new mac address as a source and put in his table for that port. The destination mac in this packet he already knows because it learned it on the previous packet. From this point forward it know about both these mac addresses and no longer floods the traffic.

Now there is always a bunch of invalid mac and other junk going in both directions but the cable modem and the pc will ignore any flooded traffic that is not to their mac address.

I can't say why this does not work. I am assuming the port physically comes up you just do not get a IP.
Normally a cable modem is very stubborn you unplug your PC and try to plug in a router and it will refuse to accept the new mac address. It will stay with the PC mac until you power cycle the modem.
m
0
l
December 10, 2013 8:50:48 AM

Hi Bill00g. Wanted to let you know that I confirmed my earlier statement with my ISP. They use the MAC address to control how many IPs they give out. And since all devices have a MAC address, the switch is the first device connected and therefore the one they are trying to assign their IP address to.

I have found a way around this - sort of (it's still in progress). I hung a router with 2 interfaces to my cable modem. That interface gets the ISP IP address. Then the other interface goes to a switch, which is also connected to my PIX. I have this portion working, and connectivity all the way through. However I still haven't been able to get my internal hosts out to the internet. Traffic seems to be getting blocked by the PIX. I saw a post you answered earlier this year about a similar issue (to jtorres) - wondering if that's my issue.

I opened a seperate post called "PIX won't talk to router??". I am hoping you will take a look at that one and help me out!
m
0
l
!