Snort mailing list archives
Re: Re: What can Snort listen for (again)? (steven)
From: "Joe Pampel" <joe () ardsley com>
Date: Tue, 23 Oct 2001 07:03:16 -0400
Hi - It depends on what kind of switch you are using, and what your topology is. IMHO your best bet is to find the manual for the switch and figure out how to do the mirror port. If your network core switch is multi-homed etc. I'm not sure of the best way to deal with that, you'll really have to look at what you want to monitor and think through the best locations for a sensor or sensors.. (you may need several to make this work) What I have done in the past is to pick a "choke point" - a place where all my traffic appears, and put a hub there, and sniff that. For example, I could take the LAN side of my internet gateway, put that into a hub with a Snort sensor and then run a cable back to the switch. Any traffic going to or from the 'net is now visible. The simpler method is to mirror the port on the switch where the firewall plugs in. You will have to go into the switch and manage it to do this though. Regards, Joe
Piotr Synowiec <mysiar () kr sky pl> 10/22/01 04:09PM >>>
On Mon, 2001-10-22 at 21:42, Joe Pampel wrote:
If the hosts in question are plugged into the same hub as the snort sensor you're good to go. If you are running on a switch you have to create a mirror port for snort (so it can see the traffic
but how I can create this mirror port. I have got network with few switches in chain? Rgds Piotr _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Re: What can Snort listen for (again)? (steven) Joe Pampel (Oct 23)