Snort mailing list archives
Re: Snort and switches??
From: Bryan Irvine <bryan.irvine () kingcountyjournal com>
Date: 29 Aug 2003 10:10:03 -0700
Not necessarily. There are indeed methods to "sniff" on any sort of switch. Mac Address flooding comes to mind. The old ettercap program does this sort of thing. Another is to simply insert a tap, depending on your setup, in the uplink path (www.netoptics.com for example). I dimly remember that SANS has some docs on "sniffing on a switched network" somewhere on their site. The real question is just how far are you willing to go to sniff a switch. MacAddress flooding, etc are probably NOT going to be your first choices for an everyday operation.
Our network is switched like a mofo here, and I have snort running on all the exit points. That catches most things. It wouldn't catch a couple guys goofing off and smurfing each other, but it would catch a couple of guys goofing off and smurfing the world, or the world smurfing us :-). That said, the only managable way (IMHO) is to use snort on the gateways (chrooted of course). --Bryan ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort and switches?? Edward Marshall (Aug 28)
- Re: Snort and switches?? Emre Bastuz (Aug 29)
- Re: Snort and switches?? Hugh Brown (Aug 29)
- Re: Snort and switches?? Dan Ferris (Aug 29)
- Re: Snort and switches?? Bryan Irvine (Aug 29)
- Re: Snort and switches?? Hugh Brown (Aug 29)
- Re: Snort and switches?? Erek Adams (Aug 29)
- Re: Snort and switches?? Emre Bastuz (Aug 29)