Snort mailing list archives
Re: Taps, Rx Only Cables & Hubs - Which one(s)?
From: Rich Adamson <radamson () routers com>
Date: Tue, 8 Jun 2004 09:50:48 -0600
I'm trying to get Snort running on Win2K with MSSQL...so far I have been successful. The next
step is to implement it into the network in receive only mode (stealth) but I am seeing conflicting configurations for this in the mail list archives and on the web. From what I've gathered, using a tap and a receive only cable is the only way this works but it won't work when going to a switch? Here was my orginal thinking:
Firewall ------ Tap ------- Switch to Network
|
Snort
A switch with port-mirroring capability will work just fine; have lots of them working and not missing a beat. The 'quality' of the switch will make a difference however. Some switches (eg, Cisco) provide the capibility to port mirror traffic "to" snort, but will not pass any packets initiated by the snort interface inbound to the switch. Using that approach, you don't really care if the snort interface has an IP address or not; its irrelevant. Using an HP 2524 switch, port mirroring in most cases need to be configured by mirroring the entire default vlan. Using that example, if the snort interface has an IP address, the HP will accept packets intiated from the snort box. (Read that as less secure, but certainly not the end of the world.) One can use a Hub in place of a Switch, however network performance through the hub (user traffic) can be very noticably degraded depending upon the overall traffic through the hub. Once you have a system installed, working, and have a better understanding how snort can help identify security issues, then consider focusing on making the sniffing interface more stealth if it actually needed at all. ------------------------------------------------------- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Taps, Rx Only Cables & Hubs - Which one(s)? Jim Richards (Jun 08)
- Re: Taps, Rx Only Cables & Hubs - Which one(s)? Rich Adamson (Jun 08)
- Re: Taps, Rx Only Cables & Hubs - Which one(s)? Matt Kettler (Jun 08)
- Snort + Guardian + Acid dont run Franco Catena (Jun 09)
- Re: Snort + Guardian + Acid dont run Alejandro Flores (Jun 09)
- Re: Snort + Guardian + Acid dont run pvm (Jun 09)
- Snort + Guardian + Acid dont run Franco Catena (Jun 09)
- <Possible follow-ups>
- Taps, Rx Only Cables & Hubs - Which one(s)? Jim Richards (Jun 08)
- Taps, Rx Only Cables & Hubs - Which one(s)? Jim Richards (Jun 08)
- RE: Taps, Rx Only Cables & Hubs - Which one(s)? Mike Walter (Jun 08)