[Snort-users] Using snort on a switched network

Jason Costomiris jcostom at ...2019...
Sun Jan 6 12:49:04 EST 2002

On Sun, Jan 06, 2002 at 11:21:37AM -0700, Linux Boy wrote:
:      One quick question.  How does snort do NID on a switched network? 

As others have noted, setup a span port.

However, in many large organizations, this is not a possibility.  Why?
The switches are typically not controlled by the security group, but
rather by network/telecom.  To get around that, do one of two things:

1. Use a tap - others have noted this.

2. Use a hub - plug the internal i/f into the hub, plug your snort box
into the hub.  Take the cable that was connected to the internal i/f of
the firewall and use that as the uplink on the hub.  Make sure it's a 
good, solid quality hub.  $10 netgear hubs most likely are not what you
want for this job. :)

I also seemed to gather that you wanted to run your NIDS outside your
firewall.  If you're only going to run one sensor, make it just inside the
firewall.  Think about it - are you more concerned with attack signatures
showing up outside or inside your firewall.  If you're smart, you're more
concerned about the inside. :)

Jason Costomiris <><           |  Technologist, geek, human.
jcostom {at} jasons {dot} org  |  http://www.jasons.org/ 
          Quidquid latine dictum sit, altum viditur.
                    My account, My opinions.

More information about the Snort-users mailing list