Snort mailing list archives
Re: how to use snort in a switched environment
From: "Les Addison" <laddison () morpace com>
Date: Wed, 14 May 2003 10:31:33 -0400
The Cisco 2924 does support port monitoring. The limitation is that you will have a 10/100 Mbps port attempting to monitor/mirror some number (potentially 23 in your case) of other 10/100 Mpbs ports. Obviously, if any of the other ports is running at capacity then the monitor port will not be able to keep up and traffic will be dropped by the switch. So to use port monitoring the selection of which ports to monitor/mirror must be carefully watched to verify that you are not overloading the monitor port capacity and losing too much traffic. Leslie Addison Firewall/Security Administrator Morpace International, Inc. (248) 737-5315 x404 "This message, together with any attachments, is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential and prohibited from disclosure. If you are not the intended recipient, you are hereby notified that any dissemination, or copying of this message, or any attachment is strictly prohibited. If you have received this message in error, please notify the original sender immediately by telephone or by return E-mail and delete this message along with any attachment, from your computer. Thank you."
"Jeremy Rodriguez" <jeremyrodriguez () cmsmechanical com> 05/14/03 08:40AM >>>From snort DOCS:
Q: I'm on a switched network, can I still use Snort? A: Being able to sniff on a switched network depends on what type of switch is being used. If the switch can mirror traffic, then set the switch to mirror all traffic to the snort machine's port. My question is that I have a Cisco WS-C2924-XL and I was wondering if anyone has used snort and these switches successfully. The only other way I have found is: INET | ROUTER | HUB --------- SNORT | SWITCH | COMPANY ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to use snort in a switched environment Jeremy Rodriguez (May 14)
- Re: how to use snort in a switched environment Erek Adams (May 14)
- Re: how to use snort in a switched environment Carlos Felix (May 14)
- Message not available
- RE: how to use snort in a switched environment Carlos Felix (May 14)
- Message not available
- Re: how to use snort in a switched environment Carlos Felix (May 14)
- <Possible follow-ups>
- Re: how to use snort in a switched environment Les Addison (May 14)
- Re: how to use snort in a switched environment Matt Schillinger (May 14)