Re: Snort multiple sensor configuration

[Jack Pepper <pepperjack () afferentsecurity com>]

Quoting Matt Olney <molney () sourcefire com>:

> Stephen,
>
> As an aside, since you're using (I'm assuming SPAN or RSPAN) sessions on the
> Cisco switches, make sure that you aren't dropping any packets at the swtich
> port.  I've seen installations where they have oversubscribed their SPAN
> ports and have lost packets there, rather than on the interface to the Snort
> box.

Yes! excellent point.  This is a very common deployment error.  use  
mrtg or snmp to watch for dropped packets on the switchport that the  
sensor is plugged into.

for example, using a 10/100 port to monitor a switch with 48 ports, I  
can just about guarantee that snort will drop no packets at all.   
because it's only going to get one percent or less of the total traffic.

jp

-- 

Framework?  I don't need no stinking framework!

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users