[Cialug] Snort in a switched network
Jerry Heiselman
jweida at gmail.com
Tue Dec 6 11:31:18 CST 2005
We run SNORT in a Cisco environment with SPAN enabled so it duplicates our
DMZ to an interface where our FreeBSD box is plugged in without an IP
address. This works just fine for us and does not put a significant load on
the switches. These are, however, 4507s and are monster machines.
We have run SPAN on smaller switches (2900s and 2950s) without too much
degradation in the performance. it just depends on how much traffic we are
talking about.
jerry
On 12/6/05, Jeff Davis <jeff at dynamictelecard.com> wrote:
>
> I want to deploy an old box as a dedicated Snort machine.
> I'm looking at ways to do that properly in a switched environment.
> - Network Taps are expensive.
> - Multispeed hubs (e.g. 10/100) are really a switch with a small ARP
> cache.
> Although it should still work, perhaps someone has done this and would
> be willing to share their experience.
> - SPAN / Port Mirroring / Roving Analysis, etc.
> The 3com switches I have are capable of SPAN, but I'm a little
> concerned
> about degrading the performance of the switch with this approach.
> If anyone has tried this approach I'd really like to know.
>
>
> -Jeff
>
>
>
>
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20051206/299abb4a/attachment.html
More information about the Cialug
mailing list