[Snort-users] what's the best setup?

Chris Eidem ceidem at ...5503...
Mon Jun 17 08:40:03 EDT 2002

depending on your switch, you can set up a monitoring port (port span in
ciscoland) and mirror the ports your servers are on to that port and
sniff from there.  potential problem is that the combined bandwidth
could sink your switch's backplane, so ymmv...

if you are lucky and have these servers on different switches, then you
could span multiple ports with multiple cards in your snortbox.

 - chris

> I was thinking about installing a "master" snort box, which 
> would sniff 
> on its own port and use mysql to store the data, and acid to 
> present it 
> through a web interface, and then install snort "sensors" on 
> the other 
> servers and report the data to the "master" server, the only problem 
> with this is that some of the win servers are smp and winpcap doesn't 
> like smp, is there another way to sniff out these servers without 
> installing a "sensor" locally (did i miss something in the 
> manual) or am 
> I just S-O-L.

More information about the Snort-users mailing list