• Support
  • Forums
  • Blogs

Port Mirroring configuration

mshermanmsherman

New Life Form
Hello,

I'm looking into configuring port mirroring on my trial version of AlienVault. I'm using a VMware VM version of the sensor for my configuration.

I've also configured the SPAN ports based on what I saw in the AlienVault Documentation.

The documentation is very high level but I don't really understand how the sensor is collecting data from my switch or if there's additional configuration I need to do. 

Specifically, I need to know if I configure my switch to send the mirrored traffic to the port that my VM host is connected to?

Which port should I monitor? What's best practices?

I was wondering if there's anyone out there that could possibly help me with the more deep down configuration of port mirroring with my switch? (Brocade Switch)

Thanks!

Mike

Share post:

Answers

  • @msherman
    The USM has three types of interfaces

    1)Management
    2)Log collection and scanning
    3)Network monitoring.

    You would have seen these options after activating your trial.

    So I recommend you should have at least 3 interfaces in usm.

    But it is also fine if you have only less than3 interfaces.

    For NIDS to work in USM, you need to send the SPAN (Switched Port Analyzer, must configured in the brocade) into the network monitoring port (if you have 3 or more interfaces) or send it to any interface and ask USM to monitor the traffic in that particular interface.

    I'm adding few links to help you. Please go through those.

    https://www.alienvault.com/documentation/usm-appliance/initial-setup/managing-usm-with-vmware.htm
    https://www.alienvault.com/documentation/usm-appliance/kb/2016/02/monitoring-vmware-esx-virtual-switches.htm
    https://www.alienvault.com/documentation/usm-appliance/ids-configuration/configuring-alienvault-nids.htm




    mshermanKyleKat
  • @msherman

    I don't have Brocade specific information for you but some of the broader on port mirroring.

    When you setup the port mirroring on your switch you choose which port the USM will monitor, or which port will be plugged from the switch to the USM, and you choose which ports it will be monitoring.  Some switches will be able to mirror multiple ports at once, some wont.  My USM setup where I work is monitoring all switchports via  SPAN.  My OSSIM setup in my home lab is only monitoring my uplink from the switch to the firewall because the Unifi switch I have at home only appears to be able to do single port mirroring.

    To get as much information as possible into the USM, which should really be the goal, you should monitor all switch ports.  This will allow the NIDS to start learning network behaviors and report on anomalies between endpoints.  Communications between a desktop or laptop and your servers, for example, would no be monitored if you were only monitoring your uplink to your firewall like I do in my second example.  In this case you would only be monitoring traffic leaving your network.  

    The how on how port mirroring/SPAN/TAP ports is actually quite simple.  The destination port, or the one plugged into the USM, simply receives a COPY of every packet that goes over the source (ports being monitored) ports.

    Essentially, when setting up the port mirroring/SPAN/TAP on the switch, you are telling it which of ITS ports you want all of the other traffic sent to.  Then you plug that port into the port dedicated to the port mirroring on your VM.

    Unfortunately without knowing the model of your Brocade I can't point you towards documentation on setting up the SPAN/TAP, however, if you Google SPAN/Port Mirroring configuration Brocade (insert model here) you should be able to find what information you need relatively easily.  Otherwise, contact whoever sold you the Brocade switch.  

    And crap. OP was in April but  zsxd02 felt the need to use this post to thank you for the great website.  I'm posting anyways.  



    KyleKat
  • Great post, I'm starting to try to get NIDS going on our USM and this info definetely helps getting my head around it.

    Is setting up a span port to send all traffic to the USM monitoring interface resource-intensive?
Sign In or Register to comment.