RE: Snort on switched network

[Erek Adams <erek () theadamsfamily net>]

On Tue, 9 Oct 2001, Gadrow, Jim wrote:

> Just a quick comment on your reply to Ashley, please correct me if I'm
> wrong... The tap used as you suggest will not show you the traffic between
> hosts on the switch, just the traffic between this switch and other devices.
> So if I have a 10.1.x.x switch and a 10.2.x.x switch, I can read traffic
> from 10.1.x.x <-> 10.2.x.x, but not 10.1.x.x <-> 10.1.x.x or 10.2.x.x <->
> 10.2.x.x.
>
> AFAIK, the only way to watch all of it would be to tap ALL ports, or use a
> host-based IDS. It actually might work if you tap at least 1 port on each
> blade of the switches as well. When I use promiscuous mode on a port on a
> switch, I only see traffic on that particular blade. Not sure how
> promiscuous mode might work using the tap though...
>
> If that's not true or if there's a better way, let me know because I'm in
> that exact situation.

Well, I didn't really say what I meant.  :-/  The placement of the tap is what
I left out...  Kinda important, that is...  Anyway, if you place the tap on
the uplink of the switch, you should be able to grab all the packets for
anything on that switch.  And no tap to test with right now!  *sigh*

And please!  Correct me if I'm wrong on that folks.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users