[Snort-users] snort implement questions?

Steve Scott sjscott007 at ...741...
Fri Jul 26 13:12:07 EDT 2002


Lets not forget that if your doing any type of state-full inspection its
not going to work with a tap.  I have yet to find an IDS vendor that has
the ability to combine both streams of an Ethernet tap.

Steve


On Fri, 2002-07-26 at 14:36, Moyer, Shawn wrote:
> 
> 1) If everything that you want to see is connected to the hub, then yes, you
> can see everything that way, if running in promisc. mode. If you run snort
> on the firewall, you would not need promisc to see everything if all you
> want to monitor is what is passing through the firewall anyway.
> 
> 2) There are a number of reasons why you might want to use a tap instead of
> the span-port or mirror-port function on a switch. For one, the tap splits
> the signal into inbound (rx) and outbound (tx) so you can monitor one or
> both sides of a connection. Also, if (as is my case at work) your network
> admins need the span port for other network diagnostics and the type of
> switch you use can only have one mirror port per switch, you may need to use
> a tap instead. For most people the taps aren't necessary though.
> 
> 
> 
> --shawn
> 
> 
> 
> > -----Original Message-----
> > From: Vincent Chen [mailto:vcba79 at ...6112...]
> > Sent: Thursday, July 25, 2002 21:42
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] snort implement questions?
> > 
> > 
> > 
> > Dear all,
> > 
> > I got 2 questions about snort implement:
> > 
> > 1. if I connect snort to a HUB, promiscuous mode should be enabled to
> > let snort see all activities. right?
> > But if I run snort on a gateway which also act as firewall, 
> > is it necessary
> > to enable promiscuous mode? all inbound and outbound traffice will go
> > through this box in this case.
> > 
> > 2. I saw an article which mentioned TAP device recently. I don't quite
> > understand this article. if my switch can redirect all 
> > traffic to the port
> > which snort box connected to, do I need such a device?
> > 
> > 
> > Best regards,
> > 
> > Vincent Chen
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list