Snort mailing list archives
RE: snort implement questions?
From: "Moyer, Shawn" <SMoyer () rgare com>
Date: Fri, 26 Jul 2002 14:36:21 -0500
1) If everything that you want to see is connected to the hub, then yes, you can see everything that way, if running in promisc. mode. If you run snort on the firewall, you would not need promisc to see everything if all you want to monitor is what is passing through the firewall anyway. 2) There are a number of reasons why you might want to use a tap instead of the span-port or mirror-port function on a switch. For one, the tap splits the signal into inbound (rx) and outbound (tx) so you can monitor one or both sides of a connection. Also, if (as is my case at work) your network admins need the span port for other network diagnostics and the type of switch you use can only have one mirror port per switch, you may need to use a tap instead. For most people the taps aren't necessary though. --shawn
-----Original Message----- From: Vincent Chen [mailto:vcba79 () ms1 hinet net] Sent: Thursday, July 25, 2002 21:42 To: snort-users () lists sourceforge net Subject: [Snort-users] snort implement questions? Dear all, I got 2 questions about snort implement: 1. if I connect snort to a HUB, promiscuous mode should be enabled to let snort see all activities. right? But if I run snort on a gateway which also act as firewall, is it necessary to enable promiscuous mode? all inbound and outbound traffice will go through this box in this case. 2. I saw an article which mentioned TAP device recently. I don't quite understand this article. if my switch can redirect all traffic to the port which snort box connected to, do I need such a device? Best regards, Vincent Chen ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort implement questions? Vincent Chen (Jul 26)
- <Possible follow-ups>
- RE: snort implement questions? Moyer, Shawn (Jul 26)
- RE: snort implement questions? Steve Scott (Jul 26)
- RE: snort implement questions? Moyer, Shawn (Jul 26)