[Cialug] Snort in a switched network
John.Lengeling at radisys.com
John.Lengeling at radisys.com
Tue Dec 6 11:36:26 CST 2005
I have run Snort with:
- a 100Mb hub
- a 10/100 hub (as long as all links are at the same speed).
- and using port mirroring
All of them worked just fine.
Jeff Davis <jeff at dynamictelecard.com>
Sent by: cialug-bounces at cialug.org
12/06/2005 11:24 AM
Please respond to
Central Iowa Linux Users Group <cialug at cialug.org>
To
Central Iowa Linux Users Group <cialug at cialug.org>
cc
Subject
[Cialug] Snort in a switched network
I want to deploy an old box as a dedicated Snort machine.
I'm looking at ways to do that properly in a switched environment.
- Network Taps are expensive.
- Multispeed hubs (e.g. 10/100) are really a switch with a small ARP
cache.
Although it should still work, perhaps someone has done this and would
be willing to share their experience.
- SPAN / Port Mirroring / Roving Analysis, etc.
The 3com switches I have are capable of SPAN, but I'm a little
concerned
about degrading the performance of the switch with this approach.
If anyone has tried this approach I'd really like to know.
-Jeff
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20051206/59e48304/attachment-0001.htm
More information about the Cialug
mailing list