Snort mailing list archives
Re: SPAN
From: HenkP () masana co za
Date: Tue, 27 Aug 2002 09:12:28 +0200
It all depends on your setup, we have a hub outside the firewall - between the firewall and our ISP's router, with a snort sensor plugged into the hub. Internally we have switches and we use SPAN to one port were another snort sensor is plugged in for mainly monitoring inside traffic to our servers. Everything works 100% Because we are using 2950 catalysts and we dont have a big core switch, I can only use SPAN on one switch, but this is the switch were all our servers are connected to, so any traffic destined for them will be caught on the SPAN port. If you have a big Catalyst like a 4000, or 5000 or 6000 series core switch then you can use SPAN not only on a port basis but you can also SPAN vlan traffic to one port. i.e. SPAN across all internal traffic you have. hope that gives you some idea, Cisco's website has plenty information on SPAN http://www-search.cisco.com/pcgi-bin/search/public.pl?q=SPAN+port&sa=Go&num=10&searchselector=0 Regards Henk Pretorius Chris Keladis <Chris.Keladis () cmc optus net. To: "Tim" <twr () bellsouth net>, "Snort-list" au> <snort-users () lists sourceforge net> Sent by: cc: snort-users-admin@lists.sourc Subject: Re: [Snort-users] SPAN eforge.net 2002/08/20 03:07 AM At 05:34 PM 19/08/2002 -0700, Tim wrote:
Quick question, will snort sensors play with monitored ports on a Cisco 10/100 switch or is placing a hub be the better way to setup the sensors?
I'm no switching expert by any stretch of the imagination, but i guess it would depend on the amount of traffic your looking at. A monitored port on a switch would work fine for low-traffic environments, but for higher speed monitoring it's more natural to use a hub. Personally i like Ethernet taps the best, as they 'tap' into your network stream and split your traffic to your IDS systems. One drawback with the taps is that they are usually Read-Only (there may be RW taps out there, i just have not seen them, myself), so you cant use any active-response features, which i don't agree with in principal anyway. Anyway, just my 2quid. :) Regards, Chris. ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users