[Snort-users] Switched hub

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Wed Sep 15 01:05:16 EDT 2004


--On 15 September 2004 07:17 +0000 patrick.marquetecken at ...1187... wrote:

> In about 1 month we are going to switch from a DMZ hub to a switch
> network. Wat is the best way for following the network traffic, as normal
> its not possible to view other ports with a switch network.

Actually, it is with plenty of switches (especially cheap, unmanaged 
switches), if you them with ARP announcements so that they degrade into hub 
mode. But I digress, as that isn't really a sensible solution for your 
problem. ;-)

What you need to do is to configure a SPAN or mirror port on your switches 
and connect your NIDS sensor(s) to those, or place taps between switches 
and connect your NIDS sensor(s) to those. Which approach you take depends 
on what you want to see.

> TIA
> Patrick

Best Regards,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list