Re: Snort on switched network

[Erek Adams <erek () theadamsfamily net>]

On Tue, 9 Oct 2001, Ashley Thomas wrote:

> It is a bad idea to run Snort (or any IDS for that matter) on a switched
> network, am i right ?
> Are there any work arounds ?

No, it's not a 'bad thing', you just may not get what you expect.  Switches
manitain a list of MAC addresses and what port they are connected to on the
switch.  They only send traffic destined for that MAC down that port.  In
other words, you usually can't sniff all the traffic.

Workarounds?  Well, if your switch has a port designed for monitoring, or you
can configure spanning (some Ciscos) or port mirroring you'll see all of the
traffic.  If that's not possible, then drop about $400 on a Shomiti tap.  You
can place that in front of the switch and get the same results as
spanning/mirroring.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users