[Snort-users] snort implement questions?
SMoyer at ...5894...
Fri Jul 26 12:37:03 EDT 2002
1) If everything that you want to see is connected to the hub, then yes, you
can see everything that way, if running in promisc. mode. If you run snort
on the firewall, you would not need promisc to see everything if all you
want to monitor is what is passing through the firewall anyway.
2) There are a number of reasons why you might want to use a tap instead of
the span-port or mirror-port function on a switch. For one, the tap splits
the signal into inbound (rx) and outbound (tx) so you can monitor one or
both sides of a connection. Also, if (as is my case at work) your network
admins need the span port for other network diagnostics and the type of
switch you use can only have one mirror port per switch, you may need to use
a tap instead. For most people the taps aren't necessary though.
> -----Original Message-----
> From: Vincent Chen [mailto:vcba79 at ...6112...]
> Sent: Thursday, July 25, 2002 21:42
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] snort implement questions?
> Dear all,
> I got 2 questions about snort implement:
> 1. if I connect snort to a HUB, promiscuous mode should be enabled to
> let snort see all activities. right?
> But if I run snort on a gateway which also act as firewall,
> is it necessary
> to enable promiscuous mode? all inbound and outbound traffice will go
> through this box in this case.
> 2. I saw an article which mentioned TAP device recently. I don't quite
> understand this article. if my switch can redirect all
> traffic to the port
> which snort box connected to, do I need such a device?
> Best regards,
> Vincent Chen
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users