Snort mailing list archives
Re: Speaking of spaning ports on a switch...
From: "Scot Scot" <scotw () hotmail com>
Date: Sun, 3 Aug 2003 09:31:23 -0500
Ethernet Test Administrative Port (TAP) device: There are a variety of TAP solutions and a variety of TAP vendors, here is one that may suit your request: http://www.netoptics.com/10-100-tap.html A TAP device will strip the Tx from each direction and deliver it to you in two separate channels. Snort and most other nIDS do not have the native capability to re-combine the separate Tx channels. You would need to take care of this for the sensor using what's called Adapter Teaming or Adapter Bonding. After teaming two NIC's together you will have a Virtual Interface. You can then monitor the Virtual Interface with snort. To test for capability to do this your NIC needs to support fast etherchannel 802.3ad static link aggregation. I know the Intel Pro 10/100 cards support 802.3ad, There are many out there that do. btw, if you have not configured SPAN on a cisco device here's some info to get you going: http://www.cisco.com/warp/public/473/41.html Example SPAN config lines: Switch(config)#monitor session 1 source interface FastEthernet 0/1 both Switch(config)#monitor session 1 destination interface FastEthernet 0/12 The device (or network) you want to monitor would be plugged into port 0/1, your snort nIDS would be plugged into port 0/12 in this example. As always, Just my 2.0134 cents worth (tax included) Scot ----- Original Message ----- From: <support () nps-dc org> To: <snort-users () lists sourceforge net> Sent: Saturday, August 02, 2003 4:17 PM Subject: FW: [Snort-users] Speaking of spaning ports on a switch...
Scot, Thanks. If budget allows, I'll look into the 2950-12. BTW, what's "TAP solution" Fernando -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Scot Scot Sent: Saturday, August 02, 2003 2:04 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Speaking of spaning ports on a switch... This may not be the most cost effective recomendation, but regarding reliability I would recommend the following: Cisco CatalystR 2950-12 They run between $600 / $650-ish You may be better off going with a $400-ish TAP solution. Just my 2.0134 cents worth (tax included) Scot ----- Original Message ----- From: <support () nps-dc org> To: <snort-users () lists sourceforge net> Sent: Friday, August 01, 2003 9:41 PM Subject: [Snort-users] Speaking of spaning ports on a switch... Speaking of spaning ports on a switch... What's the most cost effective 8-16 port switch that supports "spanning/mirrorin" to one port? (100mbit is fine) Thanks, Fernando ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Speaking of spaning ports on a switch... support (Aug 01)
- Re: Speaking of spaning ports on a switch... Scot Scot (Aug 02)
- <Possible follow-ups>
- FW: Speaking of spaning ports on a switch... support (Aug 02)
- Re: Speaking of spaning ports on a switch... Scot Scot (Aug 03)
- Re: Speaking of spaning ports on a switch... Jon Baer (Aug 03)
- Re: Speaking of spaning ports on a switch... Scot Scot (Aug 03)