On Mon, May 20, 2002 at 08:42:14PM +0100, Antony Stone wrote: > On Monday 20 May 2002 8:35 pm, Ramin Alidousti wrote: > > > > Now that you mention it Snort can do that, and checks every packet, which > > > is great. It just needs a table of valid MACs/IPs > > > > > > Unfortunately, here, with over 800 computers, managed via BOOTP on 4 > > > different LANs and cisco routers it would require to set up an additional > > > linux host with all interfaces to all LANs and update the MAC/IP tables > > > every time there is a change to bootptab. Hmm, i think it's a good idea. > > > > 800 computers on 4 LANs. Hmmm. Follow the logic: > > > > Plugging the snort box into all these 4 LANs requires that snort > > sees all the packets on each LAN, which means that you either have > > no switch in each LAN or need to mirror all the traffic to the snort > > switch port. Hmmm. Good luck. > > No, you just plug each network card on the snort box into a hub connected to > the corresponding leg of the router. Then the snort box gets to see all > packets to or from another network, and doesn't need to know about packets
Wasn't he saying that the attack was coming from within the subnet? If the attack is not within the same subnet then simple anti-spoofing ACL's on the Cisco interfaces do the work without the need of snorting... Ramin > within a single network which are handled by the switch (or was the problem > in this case that one host on a network was flooding another host on the same > network ?). > > > Antony.
