[Snort-users] I've read FAQ; Need switch/hub advice.

Shaun T. Erickson ste at ...11690...
Thu Apr 22 08:11:27 EDT 2004

I'm brand new to snort. I was just hired by a small firm to install it 
on their networks. I'm reading the Syngress Snort 2.0 book now. I have 
the 2.1 edition on order. I've read the FAQ section (1.8) on using snort 
in a switched environment. Doing my best to come up to speed asap, as 
they want it installed last month (of course).

Network setup: T1 coming in to a Cisco 2620, then on to a Sonicwall Pro 
330. There is a DMZ net on the sonicwall, that uses real ip addresses. 
The wan port of the sonicwall and the addresses in the DMZ are all on 
the same subnet. The lan interface of the sonicwall is connected to a 
linux iptables firewall with two internal lans connected to it. Each 
network (DMZ, LAN1 & LAN2) has a dumb, unmanaged, 16-port 100Mb switch 
on it.

 From what I've read so far (having only started last night), I should 
put snort on three systems: one for each net (DMZ and both LANs).

First question: I don't want to compromise throughput, so it seems like 
the correct solution would be to replace the switches with managed 
switches that can mirror all traffic to a monitoring port. *Is* that the 
best solution? I don't want to tell them to spend money on something 
they don't need.

Second question: If doing what I suggest, above, is the right solution, 
can anyone recommend switches to me, that don't suffer from performance 
degradation when mirroring the traffic to the monitoring port?

I really want to get this right, for two really important reasons: 1) I 
want to do my best for my customer, and 2) this is my first paying job 
since getting laid off a year and a half ago, and they have indicated 
that if this trial month goes well, they may hire me as an employee, so 
I *don't* want to fubar this.

Feel free to offer any advice/criticism you might think is pertinent to 
my getting this job done right, including anything related to things 
snort newbies frequently overlook or get wrong. :)


More information about the Snort-users mailing list