Re: Snort and switches??

[Hugh Brown <brown () csit fsu edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not necessarily.  There are indeed methods to "sniff" on any sort of
switch.   Mac Address flooding comes to mind.  The old ettercap program
does this sort of thing.  Another is to simply insert a tap, depending
on your setup, in the uplink path (www.netoptics.com for example).  I
dimly remember that SANS has some docs on "sniffing on a switched
network" somewhere on their site.  The real question is just how far are
you willing to go to sniff a switch.  MacAddress flooding, etc are
probably NOT going to be your first choices for an everyday operation.

Failing details that I don't have handy at the moment, I'll point you to
the ultimate research tool...www.google.com.  Between it and the docs
you'll find on snort.org and sans.org you should be able to find
something that will work for you.





Emre Bastuz wrote:


| In case the switches are unmanaged, i.e. they have no way of configuring
| a so called SPAN port or similar feature, you will have no chance of
monitoring
| traffic on that particular switch.
|
| No way :(
|
| Emre
|

- --
Hugh Brown
Computational Science & Information Technology
Florida State University
400 Dirac Science Center Library
Tallahassee, Florida 32306-4120
brown () csit fsu edu

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/T2P6aKJpeC2mfHARArMQAKCIJxVJY/T4S/qIUmFBJoREYPgtewCeIOTq
W98J7i8rGe9SjVfV7J36sSc=
=PSeJ
-----END PGP SIGNATURE-----




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users