Snort mailing list archives

Re: SPAN

From: Chris Keladis <Chris.Keladis () cmc optus net au>
Date: Tue, 20 Aug 2002 11:07:49 +1000

At 05:34 PM 19/08/2002 -0700, Tim wrote:

Quick question, will snort sensors play with monitored ports on a Cisco10/100 switch or is placing a hub be the better way to setup the sensors?

I'm no switching expert by any stretch of the imagination, but i guess itwould depend on the amount of traffic your looking at.

A monitored port on a switch would work fine for low-traffic environments,but for higher speed monitoring it's more natural to use a hub.

Personally i like Ethernet taps the best, as they 'tap' into your networkstream and split your traffic to your IDS systems.

One drawback with the taps is that they are usually Read-Only (there may beRW taps out there, i just have not seen them, myself), so you cant use anyactive-response features, which i don't agree with in principal anyway.


Anyway, just my 2quid. :)



Regards,

Chris.



-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SPAN Tim (Aug 19)
- Re: SPAN hackerwacker (Aug 19)
- Re: SPAN Chris Keladis (Aug 26)
- <Possible follow-ups>
- RE: SPAN Tom Sevy (Aug 19)
- RE: SPAN Owen Creger (Aug 20)
- Re: SPAN HenkP (Aug 27)
  - Re: SPAN Alexander Hoogerhuis (Aug 31)