Re: Using snort on a switched network

[Jason Costomiris <jcostom () jasons org>]

On Sun, Jan 06, 2002 at 11:21:37AM -0700, Linux Boy wrote:
:      One quick question.  How does snort do NID on a switched network? 

As others have noted, setup a span port.

However, in many large organizations, this is not a possibility.  Why?
The switches are typically not controlled by the security group, but
rather by network/telecom.  To get around that, do one of two things:

1. Use a tap - others have noted this.

2. Use a hub - plug the internal i/f into the hub, plug your snort box
into the hub.  Take the cable that was connected to the internal i/f of
the firewall and use that as the uplink on the hub.  Make sure it's a 
good, solid quality hub.  $10 netgear hubs most likely are not what you
want for this job. :)

I also seemed to gather that you wanted to run your NIDS outside your
firewall.  If you're only going to run one sensor, make it just inside the
firewall.  Think about it - are you more concerned with attack signatures
showing up outside or inside your firewall.  If you're smart, you're more
concerned about the inside. :)

-- 
Jason Costomiris <><           |  Technologist, geek, human.
jcostom {at} jasons {dot} org  |  http://www.jasons.org/ 
          Quidquid latine dictum sit, altum viditur.
                    My account, My opinions.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users