CONFIGURE YOUR SWITCH
To be sure your IDS analyzes the data you want, you must mirror the traffic of a switch port or VLAN. For this, we will use the "port mirroring" mechanism which means the switch duplicates the traffic on your chosen interface or VLAN and send it to Snort.
Of course, on your IDS system, you need at least one network interface to listen to the traffic, but if you can have two network ports, this will be much more better because you will able to dedicate one of both for the IDS management and the other one will be configured without IP address just to receive the mirrored (or spanned) traffic. In this case, the IDS management data will not "pollute" the mirrored traffic.
 |
Here are three "port mirroring" examples with Cisco and Juniper/Netscreen switches:
Cisco Catalyst 6509 or 3750:| Cisco_device#configure terminal Cisco_device(config)#monitor session 1 source interface GigabitEthernet x/x Cisco_device(config)#monitor session 1 destination interface GigabitEthernet x/x |
Cisco Catalyst 3500XL:| Cisco_device#configure terminal Cisco_device(config)#interface FastEthernet x/x Cisco_device(config-if)#port monitor FastEthernet x/x |
Juniper/Netscreen FireWall 25| set mirror port source interface1 destination interface2 |