[Snort-users] heavily switched networks

Russell Fulton r.fulton at ...3809...
Wed Dec 24 13:35:02 EST 2003

> Message: 1
> From: Stewart Larsen <slarsen42 at ...1457...>
> To: snort-users at lists.sourceforge.net
> Date: Tue, 23 Dec 2003 21:38:33 -0500
> Subject: [Snort-users] heavily switched networks
> I've looked into this ad can't seem to find an answer I like. Perhaps
> I'm asking the wrong question.
> Suppose I have a network consisting of a gateway which goes into a
> firewall.  The connection from the firewall goes into a switch which
> leads to another level of switches. some of these machines are servers,
> some are workstations. None of the switches have port mirroring (SPAN
> ports).

Without port mirroring you are pretty well stuffed :(  Your best bet is
probably to run snort on each of your servers but the additional CPU
load may not be acceptable.  

Long term, persuade your company to invest in network infrastructure
that facilitates monitoring, eg switches with multiple span ports.  They
are not that much more expensive. 
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!

More information about the Snort-users mailing list