Snort mailing list archives
RE: what's the best setup?
From: "Chris Eidem" <ceidem () Dexma com>
Date: Mon, 17 Jun 2002 10:39:34 -0500
depending on your switch, you can set up a monitoring port (port span in ciscoland) and mirror the ports your servers are on to that port and sniff from there. potential problem is that the combined bandwidth could sink your switch's backplane, so ymmv... if you are lucky and have these servers on different switches, then you could span multiple ports with multiple cards in your snortbox. - chris
I was thinking about installing a "master" snort box, which would sniff on its own port and use mysql to store the data, and acid to present it through a web interface, and then install snort "sensors" on the other servers and report the data to the "master" server, the only problem with this is that some of the win servers are smp and winpcap doesn't like smp, is there another way to sniff out these servers without installing a "sensor" locally (did i miss something in the manual) or am I just S-O-L.
_______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- what's the best setup? c white (Jun 17)
- <Possible follow-ups>
- RE: what's the best setup? Chris Eidem (Jun 17)