[Snort-users] Span/Snoop ports...

Paul Halliday paul.halliday at ...11827...
Fri Mar 18 06:07:24 EST 2005


Marc, 

There are a few solutions:

1) Buy a TAP
http://www.netoptics.com <- One of many.

Hardware TAPS can be quite expensive. In some cases you may be better
off spending the money on a switch that has a span port.

2) Physically tap the line with a *nix box. For example you could have
two NICS just forwarding the traffic and tap into that. Latency
*might* be an issue depending on your setup. You can do some fancy
stuff with PF, for exampe dup to another (sensor) machine.

3) Build your own TAP. 
http://www.snort.org/docs/tap <- Mileage may vary. 


Good luck.

On Fri, 18 Mar 2005 08:31:19 -0500, Marc Hering <mhering at ...13116...> wrote:
>  
> Hey Guys, 
> I just deployed a Snort box to one of our data centers...and I ran into a
> bit of a snafu.  We have a 2948G-L3 switch and want to snort on it.   The
> problem is that a L3 switch doesn't suppprt a snoop port...Has anyone found
> a way around this? 
>   
> Thanks! 


On Fri, 18 Mar 2005 08:31:19 -0500, Marc Hering <mhering at ...13116...> wrote:
>  
> Hey Guys, 
> I just deployed a Snort box to one of our data centers...and I ran into a
> bit of a snafu.  We have a 2948G-L3 switch and want to snort on it.   The
> problem is that a L3 switch doesn't suppprt a snoop port...Has anyone found
> a way around this? 
>   
> Thanks! 


-- 
_________________
Paul Halliday
http://dp.penix.org

"Diplomacy is the art of saying "Nice doggie!" till you can find a rock."




More information about the Snort-users mailing list