Snort mailing list archives
Re: switch port as network tap?
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 15 Feb 2011 11:04:13 -0500
Hubs are only half duplex. If you care. 1) Yes you can span multiple ports to a single port and have Snort listen on that single port. Depending on the switch. Some switches can only do one port to one port spanning, some can only have two spans per switch, etc. Look at the limitations. 2) Look into PulledPork. http://www.snort.org/snort-downloads/additional-downloads#pulledpork Joel On Feb 15, 2011, at 10:54 AM, John Williams wrote:
Thanks Agus & Gravy Gravy, I think you answered my next questions which is, can I combine the SPAN (network tap) ports into a single VLAN to feed SNORT? Your suggestion that a network hub will work seems to indicate the answer is yes. On Tue, Feb 15, 2011 at 10:49 AM, GravyFace <gravyface () gmail com> wrote:Also a network hub will work, if you have one laying around. On Tue, Feb 15, 2011 at 10:38 AM, Agus <agus.262 () gmail com> wrote:Hi John, 1) You can easily use a switch port SPAN. You would have to be careful with which ports you mirror and traffic cause they could saturate and create load on the switch probably. 2) Pulledpork and oinkmaster Cheers 2011/2/15 John Williams <john.b.williams () gmail com>:I need to get a SNORT system up and running quickly and have a couple questions: 1) Network taps seem very expensive. Possible stupid question: Is there a reason why one couldn't use a "sniffer" (i.e. read-only) port on a a Ethernet VLAN switch rather a Network Tap? Doesn't it do the same thing? 2) Is there an automated processes for updating the latest signatures? Thank you! ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- switch port as network tap? John Williams (Feb 15)
- Re: switch port as network tap? Agus (Feb 15)
- Re: switch port as network tap? GravyFace (Feb 15)
- Re: switch port as network tap? John Williams (Feb 15)
- Re: switch port as network tap? Joel Esler (Feb 15)
- Re: switch port as network tap? John Williams (Feb 15)
- Re: switch port as network tap? Jason Brvenik (Feb 15)
- Re: switch port as network tap? GravyFace (Feb 15)
- Re: switch port as network tap? Agus (Feb 15)