Snort mailing list archives

RE: Snort and network taps

From: Fuchs Bernhard <Bernhard.Fuchs () itellium com>
Date: Wed, 24 Apr 2002 14:32:38 +0200

counter.spy () gmx de:

About a year ago I inherited an NIDS architecture that included 15

passive

taps, monitoring various router/firewall points.  The original

configuration

had all the taps terminated to a Cisco switch which was configured to
forward traffic to one port which lead to an NIDS sensor (Not Snort..).

The

first thing I noticed was that some of the ports where constantly

blocking,

due a Cisco traffic management feature ("spanning tree" I believe, I am

by

no means a Cisco expert!)  But no matter what our LAN/WAN guys did we

still

lost packets! (Side Note:  Apparently the first architecture included a
10/100 auto sensing hub instead of a switch, which was recommend by the

NIDS

vendor. And from what I have be told, you could have painted the

collision

indicator amber because it was always on...;-)


That coul'd be, if the "auto sensing" is on. We had a lot of times problems
with this. If one part (machine, switch) is set to 100mb full douplex and
the other part is set to "auto sensing" the packet loss increases.  Set both
sides to 100mb full douplex.

just a thougt

Bernhard Fuchs 
Junior System-Engineer 
IT-Sicherheit 

ITELLIUM 
Systems & Services GmbH 
Fürther Straße 205 
90429 Nürnberg 

Tel.:   +49-911-14-27321 
Fax:    +49-911-14-22016 
mailto:bernhard.fuchs () itellium com 


This email is confidential. If you are not the intended recipient, you must
not disclose or use the information contained in it. If you have received
this mail in error, please tell us immediately by return email and delete
the document. E-mails to and from the company are monitored for operational
reasons and in accordance with lawful business practices. The contents of
this email are those of the individual and do not necessarily represent the
views of the company. The company accepts no responsibility once an e-mail
and any attachments is sent. 



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort and network taps counter . spy (Apr 23)
- Re: Snort and network taps Chris Green (Apr 23)
- Re: Snort and network taps Jeff Nathan (Apr 23)
  - Re: Snort and network taps Jason Haar (Apr 23)
    - Re: Snort and network taps Jeff Nathan (Apr 23)
    - Re: Snort and network taps Jason Haar (Apr 23)
- <Possible follow-ups>
- RE: Snort and network taps Wirth, Jeff (Apr 23)
- RE: Snort and network taps Fuchs Bernhard (Apr 24)