Re: can snort help detect bad spans?

[Joel Esler <jesler () sourcefire com>]

So, you are saying if the ports on the switch were upgraded, but the 100M SPAN port will struggle?  Yes.

Things to look for is a maxed out Stream count in perfstats, and dropped packets.  Your dropped packet rate should go 
up as your session table is full and starts purging.  It'll purge because it can't see all the open streams, and thusly 
will drop.

Your answer lies in perfstats.  Hard to explain, I've seen it a couple of a dozen times, but if you know what you are 
looking at in the perfstats, it sticks right out.

J

On Mar 21, 2011, at 7:21 PM, Jason Haar wrote:

> Hi there
>
> We recently had an incident where an existing SPAN port had been allowed
> to get overloaded by the network group: you know, they spanned a VLAN
> and then upgraded from 100M to 1G switches without thinking the 100M
> SPAN port might struggle ;-)
>
> Anyway, is there any way snort could pick that up? I'm thinking the TCP
> streams must have been seriously corrupted for starters (i.e sequence
> numbers with huge gaps) - does that show up in the stats anywhere?
>
> Any other ideas for monitoring the quality of SPANs?

--
Joel Esler
jesler () sourcefire.com
http://blog.snort.org && http://blog.clamav.net
Twitter: @snort


------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users