Snort mailing list archives

Re: snort and tap ethernet

From: Craig Paterson <craigp () tippett com>
Date: Tue, 30 Mar 2004 09:01:47 -0800

Alessandro Fiorenzi wrote:

I was thinking to snort and taps when I have had a question.

is better mirroring one port with 3com or cisco mirroring feature,
having the two send and recive signals toghether, or is better to have
passive tap ethernet with one port for send and one for recive signal?

Which are the best taps?

I don't know about the best taps, but we're using Shomiti (Finisar) IL/1taps and they seem to work. The power supplies aren't the mostconvenient for tidy racks.

As for tap vs. mirrored port, lots of people have already mentionedpotential degradation of switch peformance. Also a switch won't mirror*precisely* what's on the wire -- broken traffic will be dropped, so youwon't see it. Probably not a huge issue for IDS, but worth noting.


Craig.




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort and tap ethernet Alessandro Fiorenzi (Mar 29)
- Re: snort and tap ethernet AJ Butcher, Information Systems and Computing (Mar 30)
- Re: snort and tap ethernet Craig Paterson (Mar 30)
- <Possible follow-ups>
- Re: snort and tap ethernet Mark . Schutzmann (Mar 30)
- RE: snort and tap ethernet Spencer, Arthur (Mar 30)