[Snort-users] Snort multiple sensor configuration

Stephen Reese rsreese at ...11827...
Thu Oct 9 16:09:41 EDT 2008

> Yes! excellent point.  This is a very common deployment error.  use
> mrtg or snmp to watch for dropped packets on the switchport that the
> sensor is plugged into.
> for example, using a 10/100 port to monitor a switch with 48 ports, I
> can just about guarantee that snort will drop no packets at all.
> because it's only going to get one percent or less of the total traffic.

I'm using monitor session to monitor the port that the internet and T1
feed into the main network:

monitor session 1 source interface Fa0/1
monitor session 1 destination interface Fa0/3

More information about the Snort-users mailing list