[Snort-users] SPAN

Alexander Hoogerhuis alexh at ...3932...
Sat Aug 31 06:45:12 EDT 2002


I know I'm late off the block in answering, but if im not wrong you
can span a vlan on the 29x0- and 25x0-switches, but it aint horribly
fast. If your network is a bit sanely designed, there is hope you
might have a central 35x0-switch with the central servers hanging off
it, and trunks out to workgroup-switches (29x0'es). In this setting,
you can easily use a trunk-port and split out the vlans you need on
a linux box, and use snort on the indivudual interfaces you need to
monitor.

If you're a small to medium sized shop you'll be happy with a 100mbit
trunk and if you're in a bigger place you can live off one of the
gbit-uplinks on the 35x0. If you can't feed what you need through the
gbit link you shouldn't be running on a 35x0 anyway :)

mvh,
A

HenkP at ...6678... writes:

> It all depends on your setup, we have a hub outside the firewall - between
> the firewall and our ISP's router, with a snort sensor plugged into the
> hub.
> Internally we have switches and we use SPAN to one port were another snort
> sensor is plugged in for mainly monitoring inside traffic to our servers.
> Everything works 100%
> 
> Because we are using 2950 catalysts and we dont have a big core switch, I
> can only use SPAN on one switch, but this is the switch were all our
> servers are connected to, so any traffic destined for them will be caught
> on the SPAN port.
> If you have a big Catalyst like a 4000, or 5000 or 6000 series core switch
> then you can use SPAN not only on a port basis but you can also SPAN vlan
> traffic to one port. i.e. SPAN across all internal traffic you have.
> 
> hope that gives you some idea,
> 
> Cisco's website has plenty information on SPAN
> http://www-search.cisco.com/pcgi-bin/search/public.pl?q=SPAN+port&sa=Go&num=10&searchselector=0
> 
> Regards
> 
> Henk Pretorius
> 
> 
> 
> 
>                                                                                                            
>                     Chris Keladis                                                                          
>                     <Chris.Keladis at ...6715...       To:     "Tim" <twr at ...163...>, "Snort-list"    
>                     au>                                  <snort-users at lists.sourceforge.net>               
>                     Sent by:                            cc:                                                
>                     snort-users-admin at ...635...       Subject:     Re: [Snort-users] SPAN                
>                     eforge.net                                                                             
>                                                                                                            
>                                                                                                            
>                     2002/08/20 03:07 AM                                                                    
>                                                                                                            
>                                                                                                            
> 
> 
> 
> 
> At 05:34 PM 19/08/2002 -0700, Tim wrote:
> 
> >Quick question, will snort sensors play with monitored ports on a Cisco
> >10/100 switch or is placing a hub be the better way to setup the sensors?
> 
> I'm no switching expert by any stretch of the imagination, but i guess it
> would depend on the amount of traffic your looking at.
> 
> A monitored port on a switch would work fine for low-traffic environments,
> but for higher speed monitoring it's more natural to use a hub.
> 
> Personally i like Ethernet taps the best, as they 'tap' into your network
> stream and split your traffic to your IDS systems.
> 
> One drawback with the taps is that they are usually Read-Only (there may be
> 
> RW taps out there, i just have not seen them, myself), so you cant use any
> active-response features, which i don't agree with in principal anyway.
> 
> Anyway, just my 2quid. :)
> 
> 
> 
> Regards,
> 
> Chris.
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Alexander Hoogerhuis                               | alexh at ...3932...
CCNP - CCDP - MCNE - CCSE                          | +47 908 21 485
"You have zero privacy anyway. Get over it."  --Scott McNealy




More information about the Snort-users mailing list