[Snort-users] Configuring Cisco switches...
MCessna at ...3439...
Fri Sep 21 08:27:05 EDT 2001
I place high quality hubs inbetween my fw interfaces as shown:
By using a hub by definition you see every packet that all other ports see.
Since the only things I have hanging off of the hubs are the snort sensors
you get only a negligible performance degradation. Also set the IDS
interface to be a IP'less interface with a receive only cable than you don't
have to worry about it sending anything over the wire. Use a second
interface to connect into your internal network so that you can receive
alerts, get logs, look at acid reports , etc.
Remember that this only works well if you have no other nodes on the hub but
the ids. If you hang another node off the hub than you run into the problem
of a shared collision domain and then the performance degradation is not
negligible (depends on how much the new node pump out over the wire).
There is nothing wrong with hubs as long as you use them in the right
From: Gadrow, Jim [mailto:jgadrow at ...3548...]
Sent: Friday, September 21, 2001 10:52 AM
To: 'Erek Adams'; Bryan Childs
Cc: 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] Configuring Cisco switches...
Shomiti taps run around $400 per tap, and you can rack mount them by the
dozen. My only problem with using that kind of a solution though is that I
don't think I can use flex-response if I'm using a tap or spanning a port.
I have the same problem as Bryan, with a switched network. Any ideas for a
very cost-effective monitoring design or tools are more than welcome.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users