[Snort-users] Snort in a switched environment

Justin M. Parker bluesman at ...5852...
Tue May 14 09:56:04 EDT 2002


---------- Forwarded message ----------
Date: Tue, 14 May 2002 18:30:58 +0000
From: Edin Dizdarevic <edin.dizdarevic at ...5862...>
To: Justin M. Parker <bluesman at ...5852...>
Subject: Re: [Snort-users] Snort in a switched environment

Hi all,

isn't it a well known "switch-attack" to let a switch
exceed the internal ARP-Buffer so it switch back to the
hub mode. I don't think it's a good idea, since it lowers the
performance extremely. You may try taking a hub for those
special hosts you want to listen to. If you don't have a switch
with monitorig capability think about buying one. Since all better
switches are manageable in that issue you may be lucky and the
present one can do the job.

Hope could help!

best regards,

-- 
Edin Dizdarevic





More information about the Snort-users mailing list