[Snort-users] snort implement questions?

Moyer, Shawn SMoyer at ...5894...
Fri Jul 26 14:16:02 EDT 2002


I plug both cables from the tap into a hub -- it's a little goofy, but my
average traffic to that box is around 30Mbps, so it seems to be pretty
happy. 



--shawn


> -----Original Message-----
> From: Steve Scott [mailto:sjscott007 at ...741...]
> Sent: Friday, July 26, 2002 15:08
> To: Moyer, Shawn
> Cc: 'Vincent Chen'; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] snort implement questions?
> 
> 
> Lets not forget that if your doing any type of state-full 
> inspection its
> not going to work with a tap.  I have yet to find an IDS 
> vendor that has
> the ability to combine both streams of an Ethernet tap.
> 
> Steve
> 
> 
> On Fri, 2002-07-26 at 14:36, Moyer, Shawn wrote:
> > 
> > 1) If everything that you want to see is connected to the 
> hub, then yes, you
> > can see everything that way, if running in promisc. mode. 
> If you run snort
> > on the firewall, you would not need promisc to see 
> everything if all you
> > want to monitor is what is passing through the firewall anyway.
> > 
> > 2) There are a number of reasons why you might want to use 
> a tap instead of
> > the span-port or mirror-port function on a switch. For one, 
> the tap splits
> > the signal into inbound (rx) and outbound (tx) so you can 
> monitor one or
> > both sides of a connection. Also, if (as is my case at 
> work) your network
> > admins need the span port for other network diagnostics and 
> the type of
> > switch you use can only have one mirror port per switch, 
> you may need to use
> > a tap instead. For most people the taps aren't necessary though.
> > 
> > 
> > 
> > --shawn
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: Vincent Chen [mailto:vcba79 at ...6112...]
> > > Sent: Thursday, July 25, 2002 21:42
> > > To: snort-users at lists.sourceforge.net
> > > Subject: [Snort-users] snort implement questions?
> > > 
> > > 
> > > 
> > > Dear all,
> > > 
> > > I got 2 questions about snort implement:
> > > 
> > > 1. if I connect snort to a HUB, promiscuous mode should 
> be enabled to
> > > let snort see all activities. right?
> > > But if I run snort on a gateway which also act as firewall, 
> > > is it necessary
> > > to enable promiscuous mode? all inbound and outbound 
> traffice will go
> > > through this box in this case.
> > > 
> > > 2. I saw an article which mentioned TAP device recently. 
> I don't quite
> > > understand this article. if my switch can redirect all 
> > > traffic to the port
> > > which snort box connected to, do I need such a device?
> > > 
> > > 
> > > Best regards,
> > > 
> > > Vincent Chen
> > > 
> > > 
> > > 
> > > 
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by:ThinkGeek
> > > Welcome to geek heaven.
> > > http://thinkgeek.com/sf
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > 
> > 
> > 
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list