Re: Speaking of spaning ports on a switch...

["Scot Scot" <scotw () hotmail com>]

Ethernet Test Administrative Port (TAP) device:

There are a variety of TAP solutions and a variety of TAP vendors, here is
one that may suit your request:

http://www.netoptics.com/10-100-tap.html

A TAP device will strip the Tx from each direction and deliver it to you in
two separate channels. Snort and most other nIDS do not have the native
capability to re-combine the separate Tx channels. You would need to take
care of this for the sensor using what's called Adapter Teaming or Adapter
Bonding. After teaming two NIC's together you will have a Virtual Interface.
You can then monitor the Virtual Interface with snort.

To test for capability to do this your NIC needs to support fast
etherchannel 802.3ad static link aggregation. I know the Intel Pro 10/100
cards support 802.3ad, There are many out there that do.

btw, if you have not configured SPAN on a cisco device here's some info to
get you going:

http://www.cisco.com/warp/public/473/41.html

Example SPAN config lines:

Switch(config)#monitor session 1 source interface FastEthernet 0/1 both

Switch(config)#monitor session 1 destination interface FastEthernet 0/12

The device (or network) you want to monitor would be plugged into port 0/1,
your snort nIDS would be plugged into port 0/12 in this example.

As always, Just my 2.0134 cents worth (tax included)
Scot

----- Original Message ----- 
From: <support () nps-dc org>
To: <snort-users () lists sourceforge net>
Sent: Saturday, August 02, 2003 4:17 PM
Subject: FW: [Snort-users] Speaking of spaning ports on a switch...


> Scot,
>
> Thanks.  If budget allows, I'll look into the 2950-12.  BTW, what's  "TAP
> solution"
>
> Fernando
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Scot Scot
> Sent: Saturday, August 02, 2003 2:04 PM
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Speaking of spaning ports on a switch...
>
>
> This may not be the most cost effective recomendation, but regarding
> reliability I would recommend the following:
>
> Cisco CatalystR 2950-12
> They run between $600 / $650-ish
>
> You may be better off going with a $400-ish TAP solution.
>
> Just my 2.0134 cents worth (tax included)
> Scot
>
>
> ----- Original Message ----- 
> From: <support () nps-dc org>
> To: <snort-users () lists sourceforge net>
> Sent: Friday, August 01, 2003 9:41 PM
> Subject: [Snort-users] Speaking of spaning ports on a switch...
>
>
> Speaking of spaning ports on a switch...
>
> What's the most cost effective 8-16 port switch that supports
> "spanning/mirrorin" to one port?  (100mbit is fine)
>
> Thanks,
>
> Fernando
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users