Re: Port Aggregator Tap alternatives for snort sensor

["Stephen Reese" <rsreese () gmail com>]

I can use the same sensor but then all of the traffic would also be
piled into one database and/or alerts. Is there a way to separate or
tag the traffic so snort or anything else for that matter can discern
the traffic?

Also the taps will be on different networks.

---internet----> TAP ---router---> TAP ----network cloud---

So internet and router reside on ports 1 and 2 of the 2950 switch.
Sensor port 3. Could the output of the router go to port say 4 and out
5 to the network and the sensor also monitor those two assuming they
should be on their own VLAN so there isn't any interference or will
there be problem with have multiple networks on the same switch due to
broadcasts and whatnot. Also besides the different networks the sensor
is still going to combine everything but I guess filters could be used
to help dissect the traffic?

Thanks for the help.

On Mon, Mar 3, 2008 at 7:39 PM, Andrew Willy <andrewwilly () gmail com> wrote:
> Is the same sensor to analyze the multiple taps? You may define multiple
> source interfaces or VLANs in the same monitoring session.
>
> monitor session 1 source interface fa0/1,fa0/2,fa03
>
> Andrew
>
>
>
>
>  On Mon, Mar 3, 2008 at 4:55 PM, Stephen Reese <rsreese () gmail com> wrote:
> > I've been using a Cisco 2950 for single tap I have setup and it has
> > worked fine to date.
> >
> > !
> > interface FastEthernet0/1
> >  switchport access vlan 100
> >  duplex full
> > !
> > interface FastEthernet0/2
> >  switchport access vlan 100
> >  duplex full
> > !
> > !
> > monitor session 1 source interface Fa0/1
> > monitor session 1 destination interface Fa0/3
> >
> > Port one is the internet source, port two is to my routing device and
> > three is to my sensor.
> >
> > I would like to setup some more taps without having to run more
> > switches. An alternative is to purchase a tap still (around $300) or
> > making one from scratch
> > (http://www.altsec.info/passive-network-tap.html) but I would prefer
> > not to have to deal with bonding interfaces. I was considering another
> > 2950 switch (still cost around $250 used) but I figure there has got
> > to be a better solution? A port aggregator seems to be out of the
> > question since they seem to run around $1000...
> >
> > Any recommendations? Thanks.
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users