Re: Snort in a switched environment

["Bruno Taranto" <bruno () hiss com br>]

u can do that:

  INET
     |
ROUTER
     |
 HUB --------- SNORT
     |
SWITCH
     |
COMPANY

:-)

its simple... but work!

___________________________________
Internet Security Services
HISS, Inc.
Bruno Taranto
phone: +55 21 2221-2180
phone: +55 21 2508-0505 r.741
phone/fax: +55 21 2232-6209
email: bruno () hiss com br
corporate site: http://www.hiss.com.br
security portal: http://www.hacker.com.br
___________________________________



----- Original Message -----
From: "Matt Yackley" <Matt.Yackley () perkinswill com>
To: <snort-users () lists sourceforge net>
Sent: Tuesday, May 14, 2002 12:41 PM
Subject: RE: [Snort-users] Snort in a switched environment


> The trouble with a switch is that it stores MAC address in a table for
each
> port and will only send data to the specific port that is the destination,
> the execptions are broadcast traffic and perhaps when a new device is
placed
> on the network.  A way around the problem is if the switch handles port
> mirroring, you can mirror traffic from selected ports to a port that you
> specfiy as the monitoring port.  Check the user manual that came with the
> switch to see if it supports port mirroring.
>
> Matt
>
> -----Original Message-----
> From: Bastian Ballmann [mailto:ballmann () co-de de]
> Sent: Tuesday, May 14, 2002 10:20 AM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Snort in a switched environment
>
>
> Hello!
> Is it possible to run Snort in a switched environment? Cause Snort can
only
> sniff the traffic of the host he is running on. Unless he is doing
something
> like ARP poisoning or something like this...
> But I think this would lead into trouble if you run the arpspoof
> preprocessor
> ;)
> Greets
>
> Bastian Ballmann
> --
> Bastian Ballmann [ ballmann () co-de de ]
> @ Computational Design GmbH
> [ http://www.co-de.de ]
>
> _______________________________________________________________
>
> Have big pipes? SourceForge.net is looking for download mirrors. We supply
> the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________________________
>
> Have big pipes? SourceForge.net is looking for download mirrors. We supply
> the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users