Snort mailing list archives
RE: snort and VLANs
From: MarcT () bops com
Date: Fri, 17 Aug 2001 15:08:29 -0500
I'd be really careful about spanning a VLAN 'port' to a single 100Mbit port. Those VLANS are (on the higher level switches) capable of 4Mbps and beyond (30+ Gbps in the 6500 series Cisco switches). That much data would flatten a single 100Mbit NIC. Maybe you can just span a few key ports, such as ports to a couple of servers, or to other routers? -Marc Thompson -----Original Message----- From: Jason Long [mailto:Jason.Long () MicroMenders com] Sent: Friday, August 17, 2001 3:35 PM To: 'Mohr, Stefan'; 'Snort-users () lists sourceforge net' Cc: "Brügmann, Christian" Subject: RE: [Snort-users] snort and VLANs You might want to install a snort sensor on each VLAN and enable SPAN on the cisco switch for the port the sensor is plugged into to monitor that paticular VLAN. -----Original Message----- From: Mohr, Stefan [mailto:sm () mediascape de] Sent: Friday, August 17, 2001 12:11 PM To: 'Snort-users () lists sourceforge net' Cc: "Brügmann, Christian" Subject: [Snort-users] snort and VLANs hi everybody, i am just thinking of my future confuguration (my machine will be ready in th enext days to run snort the first time) and i have the following problem: i want to monitor traffic with snort in very different networks wirh different netmasks etc. - but all this networks are located on a layer3 switch (CISCO) where of course our admin can put all of these networks - which are really VLANs - to one port (easy, he said!). when i set my network card with it`s ip addr to one of thesse networks, i am sure, that i can monitor traffic in it. but due to the fact that this port will have alle the packets from the other VLANs these are "around" my network card too. the one and only question ist: will this network card cathc this traffic too, when snort is running? or do i have to configure something special on my linux box or is it impossible to catch alle information travveling around there..... thx, stefan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort and VLANs Mohr, Stefan (Aug 17)
- Re: snort and VLANs Joshua Stein (Aug 17)
- <Possible follow-ups>
- RE: snort and VLANs Jason Long (Aug 17)
- RE: snort and VLANs MarcT (Aug 17)