Re: Snort and switches??

[Bryan Irvine <bryan.irvine () kingcountyjournal com>]

> Not necessarily.  There are indeed methods to "sniff" on any sort of
> switch.   Mac Address flooding comes to mind.  The old ettercap program
> does this sort of thing.  Another is to simply insert a tap, depending
> on your setup, in the uplink path (www.netoptics.com for example).  I
> dimly remember that SANS has some docs on "sniffing on a switched
> network" somewhere on their site.  The real question is just how far are
> you willing to go to sniff a switch.  MacAddress flooding, etc are
> probably NOT going to be your first choices for an everyday operation.

Our network is switched like a mofo here, and I have snort running on
all the exit points.  That catches most things.  It wouldn't catch a
couple guys goofing off and smurfing each other, but it would catch a
couple of guys goofing off and smurfing the world, or the world smurfing
us :-).

That said, the only managable way (IMHO) is to use snort on the gateways
(chrooted of course).  

--Bryan



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users