[Snort-users] how to use snort in a switched environment

Matt Schillinger mschilli at ...8937...
Wed May 14 09:03:19 EDT 2003


If you have the budget, you could get a gigabit module put into the
2924, then span multiple ports.. You may have scaling issues, I think
that a 2.4Ghz Xeon will handle between 250-400Mbits.. you may consider a
TopLayer switch.

On Wed, 2003-05-14 at 09:31, Les Addison wrote:
> The Cisco 2924 does support port monitoring. The limitation is that you will have a 10/100 Mbps port attempting to monitor/mirror some number (potentially 23 in your case) of other 10/100 Mpbs ports. Obviously, if any of the other ports is running at capacity then the monitor port will not be able to keep up and traffic will be dropped by the switch. So to use port monitoring the selection of which ports to monitor/mirror must be carefully watched to verify that you are not overloading the monitor port capacity and losing too much traffic.
> 
> 
> Leslie Addison
> Firewall/Security Administrator
> Morpace International, Inc.
> (248) 737-5315 x404
> 
> "This message, together with any attachments, is intended only for the use
> of the individual or entity to which it is addressed and may contain
> information that is confidential and prohibited from disclosure. If you are
> not the intended recipient, you are hereby notified that any dissemination,
> or copying of this message, or any attachment is strictly prohibited.  If
> you have received this message in error, please notify the original sender
> immediately by telephone or by return E-mail and delete this message along
> with any attachment, from your computer.  Thank you."
> 
> 
> 
> 
> >>> "Jeremy Rodriguez" <jeremyrodriguez at ...8471...> 05/14/03 08:40AM >>>
> >From snort DOCS:
> Q: I'm on a switched network, can I still use Snort?
> 
> A: Being able to sniff on a switched network depends on what type of
>    switch is being used.  If the switch can mirror traffic, then set
>    the switch to mirror all traffic to the snort machine's port.
> 
> My question is that I have a Cisco WS-C2924-XL and I was wondering if anyone
> has used snort and these switches successfully.
> 
> 
> The only other way I have found is:
> 
> INET
>      |
> ROUTER
>      |
>  HUB --------- SNORT
>      |
> SWITCH
>      |
> COMPANY
> 
> 
> 
> 
> -------------------------------------------------------
> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> The only event dedicated to issues related to Linux enterprise solutions
> www.enterpriselinuxforum.com 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> -------------------------------------------------------
> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> The only event dedicated to issues related to Linux enterprise solutions
> www.enterpriselinuxforum.com
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- 
Matt Schillinger
System Administrator
FlightSafety International
mschilli at ...8937...
314-551-8403






More information about the Snort-users mailing list