Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: snort implement questions?

From: "Moyer, Shawn" <SMoyer () rgare com>
Date: Fri, 26 Jul 2002 14:36:21 -0500

1) If everything that you want to see is connected to the hub, then yes, you
can see everything that way, if running in promisc. mode. If you run snort
on the firewall, you would not need promisc to see everything if all you
want to monitor is what is passing through the firewall anyway.

2) There are a number of reasons why you might want to use a tap instead of
the span-port or mirror-port function on a switch. For one, the tap splits
the signal into inbound (rx) and outbound (tx) so you can monitor one or
both sides of a connection. Also, if (as is my case at work) your network
admins need the span port for other network diagnostics and the type of
switch you use can only have one mirror port per switch, you may need to use
a tap instead. For most people the taps aren't necessary though.



--shawn




-----Original Message-----
From: Vincent Chen [mailto:vcba79 () ms1 hinet net]
Sent: Thursday, July 25, 2002 21:42
To: snort-users () lists sourceforge net
Subject: [Snort-users] snort implement questions?



Dear all,

I got 2 questions about snort implement:

1. if I connect snort to a HUB, promiscuous mode should be enabled to
let snort see all activities. right?
But if I run snort on a gateway which also act as firewall, 
is it necessary
to enable promiscuous mode? all inbound and outbound traffice will go
through this box in this case.

2. I saw an article which mentioned TAP device recently. I don't quite
understand this article. if my switch can redirect all 
traffic to the port
which snort box connected to, do I need such a device?


Best regards,

Vincent Chen




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: