Snort mailing list archives
RE: snort implement questions?
From: "Moyer, Shawn" <SMoyer () rgare com>
Date: Fri, 26 Jul 2002 16:15:14 -0500
I plug both cables from the tap into a hub -- it's a little goofy, but my average traffic to that box is around 30Mbps, so it seems to be pretty happy. --shawn
-----Original Message----- From: Steve Scott [mailto:sjscott007 () earthlink net] Sent: Friday, July 26, 2002 15:08 To: Moyer, Shawn Cc: 'Vincent Chen'; snort-users () lists sourceforge net Subject: RE: [Snort-users] snort implement questions? Lets not forget that if your doing any type of state-full inspection its not going to work with a tap. I have yet to find an IDS vendor that has the ability to combine both streams of an Ethernet tap. Steve On Fri, 2002-07-26 at 14:36, Moyer, Shawn wrote:1) If everything that you want to see is connected to thehub, then yes, youcan see everything that way, if running in promisc. mode.If you run snorton the firewall, you would not need promisc to seeeverything if all youwant to monitor is what is passing through the firewall anyway. 2) There are a number of reasons why you might want to usea tap instead ofthe span-port or mirror-port function on a switch. For one,the tap splitsthe signal into inbound (rx) and outbound (tx) so you canmonitor one orboth sides of a connection. Also, if (as is my case atwork) your networkadmins need the span port for other network diagnostics andthe type ofswitch you use can only have one mirror port per switch,you may need to usea tap instead. For most people the taps aren't necessary though. --shawn-----Original Message----- From: Vincent Chen [mailto:vcba79 () ms1 hinet net] Sent: Thursday, July 25, 2002 21:42 To: snort-users () lists sourceforge net Subject: [Snort-users] snort implement questions? Dear all, I got 2 questions about snort implement: 1. if I connect snort to a HUB, promiscuous mode shouldbe enabled tolet snort see all activities. right? But if I run snort on a gateway which also act as firewall, is it necessary to enable promiscuous mode? all inbound and outboundtraffice will gothrough this box in this case. 2. I saw an article which mentioned TAP device recently.I don't quiteunderstand this article. if my switch can redirect all traffic to the port which snort box connected to, do I need such a device? Best regards, Vincent Chen ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort implement questions? Vincent Chen (Jul 26)
- <Possible follow-ups>
- RE: snort implement questions? Moyer, Shawn (Jul 26)
- RE: snort implement questions? Steve Scott (Jul 26)
- RE: snort implement questions? Moyer, Shawn (Jul 26)