Snort mailing list archives
Re: can snort help detect bad spans?
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Mon, 21 Mar 2011 19:57:01 -0400
I could be wrong, but I don't see how Snort could identify that type of issue. You would be better off monitoring the span port with Cacti and generating an alert when the port is at a high utilization level for a given amount of time. Damn those network guys! Thx, Wally On Mon, Mar 21, 2011 at 7:21 PM, Jason Haar <Jason.Haar () trimble co nz> wrote:
Hi there We recently had an incident where an existing SPAN port had been allowed to get overloaded by the network group: you know, they spanned a VLAN and then upgraded from 100M to 1G switches without thinking the 100M SPAN port might struggle ;-) Anyway, is there any way snort could pick that up? I'm thinking the TCP streams must have been seriously corrupted for starters (i.e sequence numbers with huge gaps) - does that show up in the stats anywhere? Any other ideas for monitoring the quality of SPANs? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- can snort help detect bad spans? Jason Haar (Mar 21)
- Re: can snort help detect bad spans? Jason Wallace (Mar 21)
- Re: can snort help detect bad spans? Joel Esler (Mar 21)
- Re: can snort help detect bad spans? Jason Haar (Mar 21)
- Re: can snort help detect bad spans? Joel Esler (Mar 21)
- Re: can snort help detect bad spans? Jason Wallace (Mar 21)