[Cialug] Snort in a switched network
Jeffrey C. Ollie
jeff at ocjtech.us
Tue Dec 6 12:27:44 CST 2005
On Tue, 2005-12-06 at 11:24 -0600, Jeff Davis wrote:
> I want to deploy an old box as a dedicated Snort machine.
> I'm looking at ways to do that properly in a switched environment.
> - Network Taps are expensive.
> - Multispeed hubs (e.g. 10/100) are really a switch with a small ARP cache.
> Although it should still work, perhaps someone has done this and would
> be willing to share their experience.
> - SPAN / Port Mirroring / Roving Analysis, etc.
> The 3com switches I have are capable of SPAN, but I'm a little concerned
> about degrading the performance of the switch with this approach.
> If anyone has tried this approach I'd really like to know.
If you have enough Ethernet interfaces in your box, you could bridge two
of the interfaces together so that it would just pass through all of the
data. Put that between your switch and your router (crossover cables
may be required) and you should be good to go. A third Ethernet
interface could be used for remote management.
Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://cialug.org/pipermail/cialug/attachments/20051206/4ae4562f/attachment.pgp
More information about the Cialug
mailing list