Snort mailing list archives
Re: switch port as network tap?
From: Jason Brvenik <jasonb () sourcefire com>
Date: Tue, 15 Feb 2011 16:59:58 -0500
I think things get a lot more difficult when you are looking for a blind recommendation. - When you say ID of up to 6 networks what does that mean? - When you say span on each network combined, does that mean a feed from 6 different switched combining into one span? - What is the utilization of those links? There are a lot of questions that come out the question, and what the tap vendors excel at handling and recommending. We are more than happy to help and make a recommendation but it is going to involve a bit of Q&A and the result may well be more difficult than just getting an aggregation tap. Your other option, and one that might be simpler to get going with but more work to maintain, would be to use a sensor with 6 monitoring interfaces. On Tue, Feb 15, 2011 at 11:23 AM, John Williams <john.b.williams () gmail com> wrote:
Excellent. Can anyone recommend a make/model of VLAN switch for this purpose, for ID of up to 6 networks, with a span port on each network combined to a single port for SNORT to listen on Thanks! On Tue, Feb 15, 2011 at 11:04 AM, Joel Esler <jesler () sourcefire com> wrote:Hubs are only half duplex. If you care. 1) Yes you can span multiple ports to a single port and have Snort listen on that single port. Depending on the switch. Some switches can only do one port to one port spanning, some can only have two spans per switch, etc. Look at the limitations. 2) Look into PulledPork. http://www.snort.org/snort-downloads/additional-downloads#pulledpork Joel On Feb 15, 2011, at 10:54 AM, John Williams wrote:Thanks Agus & Gravy Gravy, I think you answered my next questions which is, can I combine the SPAN (network tap) ports into a single VLAN to feed SNORT? Your suggestion that a network hub will work seems to indicate the answer is yes. On Tue, Feb 15, 2011 at 10:49 AM, GravyFace <gravyface () gmail com> wrote:Also a network hub will work, if you have one laying around. On Tue, Feb 15, 2011 at 10:38 AM, Agus <agus.262 () gmail com> wrote:Hi John, 1) You can easily use a switch port SPAN. You would have to be careful with which ports you mirror and traffic cause they could saturate and create load on the switch probably. 2) Pulledpork and oinkmaster Cheers 2011/2/15 John Williams <john.b.williams () gmail com>:I need to get a SNORT system up and running quickly and have a couple questions: 1) Network taps seem very expensive. Possible stupid question: Is there a reason why one couldn't use a "sniffer" (i.e. read-only) port on a a Ethernet VLAN switch rather a Network Tap? Doesn't it do the same thing? 2) Is there an automated processes for updating the latest signatures? Thank you! ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler jesler () sourcefire.com http://blog.snort.org && http://blog.clamav.net------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Regards, Jason. ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- switch port as network tap? John Williams (Feb 15)
- Re: switch port as network tap? Agus (Feb 15)
- Re: switch port as network tap? GravyFace (Feb 15)
- Re: switch port as network tap? John Williams (Feb 15)
- Re: switch port as network tap? Joel Esler (Feb 15)
- Re: switch port as network tap? John Williams (Feb 15)
- Re: switch port as network tap? Jason Brvenik (Feb 15)
- Re: switch port as network tap? GravyFace (Feb 15)
- Re: switch port as network tap? Agus (Feb 15)