Snort mailing list archives

Previous By Date Next
Previous By Thread Next

I've read FAQ; Need switch/hub advice.

From: "Shaun T. Erickson" <ste () smxy org>
Date: Thu, 22 Apr 2004 11:10:49 -0400
I'm brand new to snort. I was just hired by a small firm to install it on their networks. I'm reading the Syngress Snort 2.0 book now. I have the 2.1 edition on order. I've read the FAQ section (1.8) on using snort in a switched environment. Doing my best to come up to speed asap, as they want it installed last month (of course).
Network setup: T1 coming in to a Cisco 2620, then on to a Sonicwall Pro 330. There is a DMZ net on the sonicwall, that uses real ip addresses. The wan port of the sonicwall and the addresses in the DMZ are all on the same subnet. The lan interface of the sonicwall is connected to a linux iptables firewall with two internal lans connected to it. Each network (DMZ, LAN1 & LAN2) has a dumb, unmanaged, 16-port 100Mb switch on it.
From what I've read so far (having only started last night), I should put snort on three systems: one for each net (DMZ and both LANs).
First question: I don't want to compromise throughput, so it seems like the correct solution would be to replace the switches with managed switches that can mirror all traffic to a monitoring port. *Is* that the best solution? I don't want to tell them to spend money on something they don't need.
Second question: If doing what I suggest, above, is the right solution, can anyone recommend switches to me, that don't suffer from performance degradation when mirroring the traffic to the monitoring port?
I really want to get this right, for two really important reasons: 1) I want to do my best for my customer, and 2) this is my first paying job since getting laid off a year and a half ago, and they have indicated that if this trial month goes well, they may hire me as an employee, so I *don't* want to fubar this.
Feel free to offer any advice/criticism you might think is pertinent to my getting this job done right, including anything related to things snort newbies frequently overlook or get wrong. :) 

        -ste


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: