[Snort-users] eliminating multicasts to reduce false positives

Juan Fernandez Juan.Fernandez at ...2210...
Tue Nov 30 03:27:15 EST 2004


HI,

 

I read in intrusion detection with snort from jack koziol that it is a good
idea to eliminate multicasts on the mirrored port that the sensor is
installed.

 

I have a cisco 2900 switch Is it possible to do this ? ( I mirror the
firewall port in the dmz ). I mean disable the multicasts on the mirrored
port and them mirror it).

 

What are the consciences of disabling multicasts anyway?

 

Thanks !!!

 

Juan 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041130/83a13daf/attachment.html>


More information about the Snort-users mailing list