[Snort-users] heavily switched networks

Stewart Larsen slarsen42 at ...1457...
Tue Dec 23 18:39:01 EST 2003


I've looked into this ad can't seem to find an answer I like. Perhaps
I'm asking the wrong question.

Suppose I have a network consisting of a gateway which goes into a
firewall.  The connection from the firewall goes into a switch which
leads to another level of switches. some of these machines are servers,
some are workstations. None of the switches have port mirroring (SPAN
ports).

I understand how to set us IDS at the gateway with a stealth interface.
My question becomes, how do I effectively monitor the network.  If I put
a tap before each switch, I will not be able to monitor traffic between
2 machines on the other side of the switch, correct?

do I have to run  a snort sensor on each server? On each workstation?
Ideally, I'd like to have one sensor for each segment without having to
basically throw away existing hardware and get SPAN switches.

-- 
Stewart Larsen





More information about the Snort-users mailing list