[Snort-users] When is a hub not a hub? (AuthReply)

Chris Green cmg at ...671...
Thu Jun 7 14:19:34 EDT 2001


Dan Hollis <goemon at ...20...> writes:
>> the DS line of hubs from Netgear are Dual Speed, that is they have the two
>> repeated channels, 100 and 10.  If, as in your situation, your machines
>> are all 100 (or even all 10) they you'll be fine with snort.
> 
> Still waiting for someone to review the shomiti ethernet taps for use with
> snort...
> 
> -Dan

Well depending on what you are doing, they are acceptable but I'm
using them in conjunction with a hub ( actually 2 )

inet
  |
[router]
  |
[ hub ] - shomiti - [ hub ] - monitoring devices 
  |
local

The thing would be very nice is to drop it and replace the main hub
portion but then you would break apart your RX/TX into 2 separate
channels to monitor

Shomiti's are designed like   ( might have the monitor's swapped but
i'm on vacation :> )

inet --              -- local

inet monitor        -- local monitor

so that you can see both sides of a 100mbit conversation

Thats really great for being able to monitor troubles but IDS works
best when you can see both sides at once at the same sensor.  I've not
tried unifying them at one hub yet but thats one risk prone possibilty.
-- 
Chris Green <cmg at ...671...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-users mailing list