RE: what's the best setup?

["Chris Eidem" <ceidem () Dexma com>]

depending on your switch, you can set up a monitoring port (port span in
ciscoland) and mirror the ports your servers are on to that port and
sniff from there.  potential problem is that the combined bandwidth
could sink your switch's backplane, so ymmv...

if you are lucky and have these servers on different switches, then you
could span multiple ports with multiple cards in your snortbox.

 - chris

> I was thinking about installing a "master" snort box, which 
> would sniff 
> on its own port and use mysql to store the data, and acid to 
> present it 
> through a web interface, and then install snort "sensors" on 
> the other 
> servers and report the data to the "master" server, the only problem 
> with this is that some of the win servers are smp and winpcap doesn't 
> like smp, is there another way to sniff out these servers without 
> installing a "sensor" locally (did i miss something in the 
> manual) or am 
> I just S-O-L.

_______________________________________________________________

Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users