[Snort-users] Snort multiple sensor configuration

Matt Olney molney at ...1935...
Thu Oct 9 16:21:50 EDT 2008


Bah...I can't stand IOS on Cat switches.

Check your port statistics (I don't have a Cisco switch available to me) but
look for buffer failures or dropped packets either outbound or inbound.

Matt

On Thu, Oct 9, 2008 at 4:09 PM, Stephen Reese <rsreese at ...11827...> wrote:

> > Yes! excellent point.  This is a very common deployment error.  use
> > mrtg or snmp to watch for dropped packets on the switchport that the
> > sensor is plugged into.
> >
> > for example, using a 10/100 port to monitor a switch with 48 ports, I
> > can just about guarantee that snort will drop no packets at all.
> > because it's only going to get one percent or less of the total traffic.
>
> I'm using monitor session to monitor the port that the internet and T1
> feed into the main network:
>
> monitor session 1 source interface Fa0/1
> monitor session 1 destination interface Fa0/3
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081009/9dcfe8a1/attachment.html>


More information about the Snort-users mailing list