[Snort-users] SPAN groups and network taps

Jefferson, Shawn Shawn.Jefferson at ...14448...
Wed May 20 18:31:41 EDT 2009


Hi,

I'm currently using Snort with a SPAN group on a Cisco 6500 switch to one port, and I'm contemplating whether or not this is sufficient.

For those cisco experts out there, what's the limitation regarding egress mirroring on the 6500?  Is it 1 per switch, or 1 per port span group?  I've got 4 main ports I want to mirror all the traffic to inspect with snort, and ideally I'd like to see BOTH directions of all traffic.  I'm also capturing all traffic with Daemonlogger on the snort boxes and keeping that around a week or so to help with incident response.  I'd like to see both sides of the traffic there too.

Any suggestions for network taps?  I guess depending on the answer to my question above, it will dictate how I approach the network tap configuration, or maybe multiple NICs on the snort machine itself and still utilize SPAN ports/groups.

The taps at http://www.datacomsystems.com/ seem interesting...

Thanks,
Shawn

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090520/54a29ab4/attachment.html>


More information about the Snort-users mailing list