[Snort-users] Snort on switched network

Erek Adams erek at ...577...
Tue Oct 9 11:26:06 EDT 2001


On Tue, 9 Oct 2001, Ashley Thomas wrote:

> It is a bad idea to run Snort (or any IDS for that matter) on a switched
> network, am i right ?
> Are there any work arounds ?

No, it's not a 'bad thing', you just may not get what you expect.  Switches
manitain a list of MAC addresses and what port they are connected to on the
switch.  They only send traffic destined for that MAC down that port.  In
other words, you usually can't sniff all the traffic.

Workarounds?  Well, if your switch has a port designed for monitoring, or you
can configure spanning (some Ciscos) or port mirroring you'll see all of the
traffic.  If that's not possible, then drop about $400 on a Shomiti tap.  You
can place that in front of the switch and get the same results as
spanning/mirroring.

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list