[Snort-users] Snort not seeing everything

Eric Hines eric.hines at ...8860...
Wed Jun 14 11:06:19 EDT 2006

Hash: SHA1

This doesn't look right. Why would you install a Tap, then hang the
Snort sensor off the switch? The purpose of the tap is to tap in to the
network and replace span ports on your switch. The Snort sensor is
supposed to be hanging off the monitoring port of the Tap.

Best Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC

- ---------------------------------------------

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 213
Crystal Lake, IL 60014
Toll Free: (877) 262-7593 ext:327
Direct: (847) 854-2725 ext:327
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
Email: eric.hines at ...8860...

- --------------------------------------------

"Enterprise Open Source Security Management"

fname lname wrote:
> Our office resently moved to a new location and now my snort not seeing
> everything so it must be something I didnt setup right.
> They way I have it setup is right off of the pix inside cable its going
> to a
> passive tap that i build from the docs on snorts site from there its going
> to the networks switch.  From that we have a few servers plugged in and
> another switch where a few more servers are and the lastly another switch
> where the workstations are plugged into.
> INTERNET---pix---TAP---switch1
>                             |            |
>                           IDS     switch2
>                                          |
>                                     switch3
> The above drawing is how the network is setup based on funds;  Based on the
> drawing if a workstation on switch3 goes to www.google.com should I see
> that
> traffic because I have a TAP in the inside wire of the pix which is the
> last
> route to the internet?
> Hmm, im thinking should I change the above network to look like this?
> INTERNET---pix---TAP---switch1---switch3
>                             |          |
>                           IDS   switch2
> Thank you for help in advance.
> ------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Snort-users mailing list