[Snort-users] Snort in a switched environment

Justin M. Parker bluesman at ...5852...
Tue May 14 08:39:11 EDT 2002

On Tue, 14 May 2002, Bastian Ballmann wrote:
> Hello! Is it possible to run Snort in a switched environment? Cause
> Snort can only sniff the traffic of the host he is running on. Unless
> he is doing something like ARP poisoning or something like this... But
> I think this would lead into trouble if you run the arpspoof
> preprocessor ;) Greets

It would probably benefit you in this case if you ran Demarc and ACID or 
such, where you can have a snort server on each machine that is monitored. 
Demarc will let you add several snort "clients" and watch them from a main 
interface. Not sure about the ARP spoof stuff.

Hope this helps,

Justin M. Parker      --------/     \     o---
Systems Administrator   -----/       \    | http://www.pneumatek.com
Pneumatek, Inc.           ---\       /      http://www.thetekshop.com |
(417)264-4800              ---\     /                              ---o

More information about the Snort-users mailing list