[Snort-users] Snort multiple sensor configuration

Jack Pepper pepperjack at ...14319...
Thu Oct 9 14:39:08 EDT 2008

Quoting Matt Olney <molney at ...1935...>:

> Stephen,
> As an aside, since you're using (I'm assuming SPAN or RSPAN) sessions on the
> Cisco switches, make sure that you aren't dropping any packets at the swtich
> port.  I've seen installations where they have oversubscribed their SPAN
> ports and have lost packets there, rather than on the interface to the Snort
> box.

Yes! excellent point.  This is a very common deployment error.  use  
mrtg or snmp to watch for dropped packets on the switchport that the  
sensor is plugged into.

for example, using a 10/100 port to monitor a switch with 48 ports, I  
can just about guarantee that snort will drop no packets at all.   
because it's only going to get one percent or less of the total traffic.



Framework?  I don't need no stinking framework!

@fferent Security Labs:  Isolate/Insulate/Innovate  

More information about the Snort-users mailing list