Snort mailing list archives
RE: Hub recommendations
From: Shane Williams <shanew () shanew net>
Date: Fri, 3 Dec 2004 07:52:20 -0600 (CST)
It does depend. We have a 3550, and it can have a max of two SPAN/RSPAN sessions. They cannot have the same destination port, but they can have the same source ports or VLANs. I assume as you move up their line, you can have more than two sessions. On Fri, 3 Dec 2004, Basselgia, Barry A Mr (NAF Atsugi) wrote:
It may depend on the model 2950 you have, but I know on mine you can only have 1 span session at a time. I've tried configuring a second span session and get an error message that I'm limited to 1 session. Barry -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Joe Patterson Sent: Friday, December 03, 2004 4:08 AM Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Hub recommendations There are a couple of ways I can think of to do this. Newer Cisco switch IOS's use "monitor sessions". You can read up on them here: http://cisco.com/en/US/products/hw/switches/ps628/products_configuration_gui de_chapter09186a00800d84c5.html for the 2950 series switches. Each SPAN "session" can have multiple source ports (either tx, rx, or both) and one destination port. So what you would do is to have session 1 be going to your IDS, and monitor ports SPAN1-SPANx, session 2 goes to ntop, and monitors ports SPAN1-SPANx, session 3 goes to ethereal, and monitors ports SPAN1-SPANx, etc... I believe that's not only possible, but would do what you want it to. :) There's always the problem of trying to mirror 5 100Mbit bidirectional ports to a single 100Mbit unidirectional port. There are potential solutions to that problem also, but that's a discussion for a different day... -Joe-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Matt Van Mater Sent: Thursday, December 02, 2004 12:25 PM To: Shane Williams Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Hub recommendationsI won't claim to fully grasp how it works, but the RSPAN ability in some Cisco switches sounds like what you want. Whatever you end up doing, I suspect there are more than a few of us who would like to hear how it works out.I looked into RSPAN as well, and I think it has the same limitations as SPAN where you can only define a single destination port for the traffic feed. The main difference with RSPAN is that the source of all your traffic and the destination port where you want it to end up don't have to be on the same physical switch. Like you, I'm not an expert but I've been reading up on this for a while so I think I've got a pretty good grasp of it. :) I have one other implementation idea on how to set this up more cheaply than spending $50k or more on bunches of netoptics hardware: Feed all your SPAN sessions into a Switch and then SPAN all your traffic coming in on that switch to a single destination port. This destination port connects to a netoptics regeneration tap or similar device that makes copies of the aggregated data and sends it to multiple devices. (I might be able to do this with OpenBSD's PF dup-to option and save even more money) It seems pretty simple and I don't know why I didn't suggest it earlier. I think in a high load environment you would need some beefy switches to support this, but I think the network analysis devices will remain the bottle neck in the equation. SPAN1---| |--IDS SPAN2---|-----Cisco switch |--ntop SPAN3---| SPAN--------netoptics regeneration tap----------|ethereal SPANx---| |-... Comments? ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | System Admin - UT iSchool =----------------------------------+------------------------------- All syllogisms contain three lines | shanew () shanew net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Hub recommendations Matt Van Mater (Dec 01)
- Re: Hub recommendations Rich Adamson (Dec 01)
- Re: Hub recommendations Matt Van Mater (Dec 01)
- Re: Hub recommendations Matt Van Mater (Dec 01)
- Re: Hub recommendations Shane Williams (Dec 02)
- Re: Hub recommendations Matt Van Mater (Dec 02)
- Re: Hub recommendations Matt Van Mater (Dec 02)
- RE: Hub recommendations Joe Patterson (Dec 02)
- Re: Hub recommendations Matt Van Mater (Dec 01)
- Re: Hub recommendations Rich Adamson (Dec 01)
- <Possible follow-ups>
- Re: Hub recommendations Richard Bejtlich (Dec 01)
- RE: Hub recommendations Basselgia, Barry A Mr (NAF Atsugi) (Dec 02)
- RE: Hub recommendations Shane Williams (Dec 03)