Snort mailing list archives
RE: switch port settings?
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Tue, 1 Oct 2002 12:29:32 -0400
If you have to see every bit of traffic from every machine, this is the only practical way. It all depends on what you consider to be worth monitoring/protecting. If every one of those systems warrants packet-by-packet IDS inspection, then that's the way it has to be. Having said that, when deploying this type of sensor, you need to consider some serious rule tuning, or you get what you're getting right now. Either look at reducing your false positives to an acceptable level, do some serious report-side clean-up, or re-evaluate your collection scheme. It only takes a couple of days before an IDS that generates too many alerts to evaluate is considered useless. Cheers Keith
-----Original Message----- From: Matthew Harrell [mailto:mhar () plex com] Sent: Tuesday, October 01, 2002 11:53 AM To: snort-users () lists sourceforge net Subject: [Snort-users] switch port settings? I recently changed the switch port that my Snort box is on so that it hears the traffic that hits all the ports on the switch. This seems like it is a good idea in order to have a true NIDS; however, since doing so, I'm FLOODED with tons of alert and portscan log entries. I'm in the process of playing with ACID to improve the usage of these logs, but is it a good idea to leave the switch port set this way? ----------------- Matt Harrell Plexus Systems mhar () plex com ------------------------------------------------------- This sf.net email is sponsored by: DEDICATED SERVERS only $89! Linux or FreeBSD, FREE setup, FAST network. Get your own server today at http://www.ServePath.com/indexfm.htm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: DEDICATED SERVERS only $89! Linux or FreeBSD, FREE setup, FAST network. Get your own server today at http://www.ServePath.com/indexfm.htm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- switch port settings? Matthew Harrell (Oct 01)
- Re: switch port settings? Matt Kettler (Oct 01)
- <Possible follow-ups>
- RE: switch port settings? McCammon, Keith (Oct 01)