Re: Snort Help - Network IDS

[Matt Mercer <mattm () pyramidcorporation com>]

Your switches likely support a feature which allows them to "mirror"
traffic from a number of switchports to another arbitrary switchport,
allowing you to sniff traffic without introducing a single point of
failure.

Depending on how much traffic is hitting those switches, you might have
to play with how many ports are being mirrored to each monitoring port. 
Also, I've honestly never monitored 100 production servers, but I'm
guessing you'll need a number of decent machines to handle the sniffing,
possibly with multiple NICs.  There's likely snort documentation to
advise you on capacity planning here.

If you are using UTP and want to get real paranoid (in an environment
that size, I'm guessing you are =), you could even build a receive-only
Ethernet cable to connect to one NIC for snort to sniff, and put another
NIC on a seperate and dedicated VLAN to syslog your snort alerts, 
perform remote administration, etc.

HTH,

-Matt


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------