Re: how to use snort in a switched environment

[Matt Schillinger <mschilli () vss fsi com>]

If you have the budget, you could get a gigabit module put into the
2924, then span multiple ports.. You may have scaling issues, I think
that a 2.4Ghz Xeon will handle between 250-400Mbits.. you may consider a
TopLayer switch.

On Wed, 2003-05-14 at 09:31, Les Addison wrote:
> The Cisco 2924 does support port monitoring. The limitation is that you will have a 10/100 Mbps port attempting to 
> monitor/mirror some number (potentially 23 in your case) of other 10/100 Mpbs ports. Obviously, if any of the other 
> ports is running at capacity then the monitor port will not be able to keep up and traffic will be dropped by the 
> switch. So to use port monitoring the selection of which ports to monitor/mirror must be carefully watched to verify 
> that you are not overloading the monitor port capacity and losing too much traffic.
>
>
> Leslie Addison
> Firewall/Security Administrator
> Morpace International, Inc.
> (248) 737-5315 x404
>
> "This message, together with any attachments, is intended only for the use
> of the individual or entity to which it is addressed and may contain
> information that is confidential and prohibited from disclosure. If you are
> not the intended recipient, you are hereby notified that any dissemination,
> or copying of this message, or any attachment is strictly prohibited.  If
> you have received this message in error, please notify the original sender
> immediately by telephone or by return E-mail and delete this message along
> with any attachment, from your computer.  Thank you."
>
>
>
>
> > > > "Jeremy Rodriguez" <jeremyrodriguez () cmsmechanical com> 05/14/03 08:40AM >>>
> > From snort DOCS:
> Q: I'm on a switched network, can I still use Snort?
>
> A: Being able to sniff on a switched network depends on what type of
>    switch is being used.  If the switch can mirror traffic, then set
>    the switch to mirror all traffic to the snort machine's port.
>
> My question is that I have a Cisco WS-C2924-XL and I was wondering if anyone
> has used snort and these switches successfully.
>
>
> The only other way I have found is:
>
> INET
>      |
> ROUTER
>      |
>  HUB --------- SNORT
>      |
> SWITCH
>      |
> COMPANY
>
>
>
>
> -------------------------------------------------------
> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> The only event dedicated to issues related to Linux enterprise solutions
> www.enterpriselinuxforum.com 
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> -------------------------------------------------------
> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> The only event dedicated to issues related to Linux enterprise solutions
> www.enterpriselinuxforum.com
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- 
Matt Schillinger
System Administrator
FlightSafety International
mschilli () vss fsi com
314-551-8403




-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users