[Snort-users] Re: What can Snort listen for (again)? (steven)

Joe Pampel joe at ...3851...
Tue Oct 23 04:05:02 EDT 2001

Hi - 

It depends on what kind of switch you are using, and what your topology is.
IMHO your best bet is to find the manual for the switch and figure out how to do the
mirror port. If your network core switch is multi-homed etc. I'm not sure of the best way
to deal with that, you'll really have to look at what you want to monitor and think 
through the best locations for a sensor or sensors.. (you may need several to make
this work) 

What I have done in the past is to pick a "choke point" - a place
where all my traffic appears, and put a hub there, and sniff that. For example, I could
take the LAN side of my internet gateway, put that into a hub with a Snort sensor and then run a 
cable back to the switch. Any traffic going to or from the 'net is now visible. The simpler
method is to mirror the port on the switch where the firewall plugs in.  You will have to go
into the switch and manage it to do this though.



>>> Piotr Synowiec <mysiar at ...3887...> 10/22/01 04:09PM >>>
On Mon, 2001-10-22 at 21:42, Joe Pampel wrote:
> If the hosts in question are plugged into the same hub as the snort sensor you're good to go.
> If you are running on a switch you have to create a mirror port for snort (so it can see the traffic
but how I can create this mirror port.
I have got network with few switches in chain?


More information about the Snort-users mailing list