Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: snort and tap ethernet

From: "Spencer, Arthur" <Arthur.Spencer () umassmed edu>
Date: Tue, 30 Mar 2004 13:34:24 -0500
An interesting that I do is monitor 2 firewall clusters with one Snort
box.  I tap the (4) 100MB ports on the inside of the network with
Netoptics taps - take all (8) 100MB ports and feed an Enterasys VH
switch,  mirror all 8 ports on the 100MB switch to feed one Gig port
going to a Sysconect Gig NIC in my server.  

Saves money and hardware and simplifies configuration. Switch
utilization never peaks even under heavy loads.  Server utilization has
to be monitored and your rule base needs to be optimized; but, it works.

* Art Spencer..

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Craig
Paterson
Sent: Tuesday, March 30, 2004 12:02 PM
To: Alessandro Fiorenzi
Cc: snort-users
Subject: Re: [Snort-users] snort and tap ethernet

Alessandro Fiorenzi wrote:


I was thinking to snort and taps when I have had a question.

is better mirroring one port with 3com or cisco mirroring feature, 
having the two send and recive signals toghether, or is better to have 
passive tap ethernet with one port for send and one for recive signal?

Which are the best taps? 



I don't know about the best taps, but we're using Shomiti (Finisar) IL/1
taps and they seem to work. The power supplies aren't the most
convenient for tidy racks.

As for tap vs. mirrored port, lots of people have already mentioned
potential degradation of switch peformance. Also a switch won't mirror
*precisely* what's on the wire -- broken traffic will be dropped, so you
won't see it. Probably not a huge issue for IDS, but worth noting.

Craig.




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux
tutorial presented by Daniel Robbins, President and CEO of GenToo
technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: