Snort mailing list archives
Re: Using snort on a switched network
From: Jason Costomiris <jcostom () jasons org>
Date: Sun, 6 Jan 2002 15:48:39 -0500
On Sun, Jan 06, 2002 at 11:21:37AM -0700, Linux Boy wrote: : One quick question. How does snort do NID on a switched network? As others have noted, setup a span port. However, in many large organizations, this is not a possibility. Why? The switches are typically not controlled by the security group, but rather by network/telecom. To get around that, do one of two things: 1. Use a tap - others have noted this. 2. Use a hub - plug the internal i/f into the hub, plug your snort box into the hub. Take the cable that was connected to the internal i/f of the firewall and use that as the uplink on the hub. Make sure it's a good, solid quality hub. $10 netgear hubs most likely are not what you want for this job. :) I also seemed to gather that you wanted to run your NIDS outside your firewall. If you're only going to run one sensor, make it just inside the firewall. Think about it - are you more concerned with attack signatures showing up outside or inside your firewall. If you're smart, you're more concerned about the inside. :) -- Jason Costomiris <>< | Technologist, geek, human. jcostom {at} jasons {dot} org | http://www.jasons.org/ Quidquid latine dictum sit, altum viditur. My account, My opinions. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using snort on a switched network Linux Boy (Jan 06)
- Re: Using snort on a switched network James (Jan 06)
- Re: Using snort on a switched network Erik Fichtner (Jan 06)
- Re: Using snort on a switched network Jason Costomiris (Jan 06)
- RE: Using snort on a switched network Blue Knight (Jan 06)