[Snort-users] heavily switched networks

twig les twigles at ...131...
Tue Dec 23 18:56:01 EST 2003

--- Stewart Larsen <slarsen42 at ...1457...> wrote:
> I've looked into this ad can't seem to find an answer I like.
> Perhaps
> I'm asking the wrong question.
> Suppose I have a network consisting of a gateway which goes
> into a
> firewall.  The connection from the firewall goes into a switch
> which
> leads to another level of switches. some of these machines are
> servers,
> some are workstations. None of the switches have port
> mirroring (SPAN
> ports).
> I understand how to set us IDS at the gateway with a stealth
> interface.
> My question becomes, how do I effectively monitor the network.
>  If I put
> a tap before each switch, I will not be able to monitor
> traffic between
> 2 machines on the other side of the switch, correct?
> do I have to run  a snort sensor on each server? On each
> workstation?
> Ideally, I'd like to have one sensor for each segment without
> having to
> basically throw away existing hardware and get SPAN switches.
> -- 

You can use one or two boxes with multiple NICs sniffing,
running a different snort process for each one.  I'm doing that
and it works quite nicely if you name everything distinctly,
like "outbound.north.snort.sh" for the start script.

Only fools have all the answers.   

Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard

More information about the Snort-users mailing list