[Cialug] Snort in a switched network
Nathan C. Smith
smith at ipmvs.com
Tue Dec 6 11:35:06 CST 2005
I would think that a port monitoring-type setting is what you would want to
use on a switch.
You can set one port to 'echo' traffic on another port. I don't remember
what 3com's parlance is for that.
How many wires do you need to monitor?
One switch I have can monitor multiple other ports if you set it to, I don't
know if a switch like that would be less expensive than multiple network
taps though.
-Nate
-----Original Message-----
From: Jeff Davis [mailto:jeff at dynamictelecard.com]
Sent: Tuesday, December 06, 2005 11:24 AM
To: Central Iowa Linux Users Group
Subject: [Cialug] Snort in a switched network
I want to deploy an old box as a dedicated Snort machine.
I'm looking at ways to do that properly in a switched environment.
- Network Taps are expensive.
- Multispeed hubs (e.g. 10/100) are really a switch with a small ARP cache.
Although it should still work, perhaps someone has done this and would
be willing to share their experience.
- SPAN / Port Mirroring / Roving Analysis, etc.
The 3com switches I have are capable of SPAN, but I'm a little concerned
about degrading the performance of the switch with this approach.
If anyone has tried this approach I'd really like to know.
-Jeff
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
More information about the Cialug
mailing list