[Snort-users] switch port as network tap?

John Williams john.b.williams at ...11827...
Tue Feb 15 11:23:10 EST 2011


Excellent.

Can anyone recommend a make/model of VLAN switch for this purpose, for
ID of up to 6 networks, with a span port on each network combined to a
single port for SNORT to listen on

Thanks!


On Tue, Feb 15, 2011 at 11:04 AM, Joel Esler <jesler at ...1935...> wrote:
> Hubs are only half duplex.  If you care.
>
> 1)  Yes you can span multiple ports to a single port and have Snort listen on that single port.  Depending on the switch.  Some switches can only do one port to one port spanning, some can only have two spans per switch, etc.  Look at the limitations.
>
> 2)  Look into PulledPork.
>
> http://www.snort.org/snort-downloads/additional-downloads#pulledpork
>
> Joel
>
> On Feb 15, 2011, at 10:54 AM, John Williams wrote:
>
>> Thanks Agus & Gravy
>>
>> Gravy,  I think you answered my next questions which is,  can I
>> combine the SPAN (network tap) ports into a single VLAN to feed SNORT?
>> Your suggestion that a network hub will work seems to indicate the
>> answer is yes.
>>
>>
>>
>> On Tue, Feb 15, 2011 at 10:49 AM, GravyFace <gravyface at ...11827...> wrote:
>>> Also a network hub will work, if you have one laying around.
>>>
>>> On Tue, Feb 15, 2011 at 10:38 AM, Agus <agus.262 at ...11827...> wrote:
>>>> Hi John,
>>>>
>>>> 1) You can easily use a switch port SPAN. You would have to be careful
>>>> with which ports you mirror and traffic cause they could saturate and
>>>> create load on the switch probably.
>>>>
>>>> 2) Pulledpork and oinkmaster
>>>>
>>>> Cheers
>>>>
>>>> 2011/2/15 John Williams <john.b.williams at ...11827...>:
>>>>> I need to get a SNORT system up and running quickly and have a couple questions:
>>>>>
>>>>> 1) Network taps seem very expensive. Possible stupid question:  Is
>>>>> there a reason why one couldn't use a "sniffer" (i.e. read-only) port
>>>>> on a a Ethernet VLAN switch rather a Network Tap?  Doesn't it do the
>>>>> same thing?
>>>>>
>>>>> 2) Is there an automated processes for updating the latest signatures?
>>>>>
>>>>> Thank you!
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>>>>> Pinpoint memory and threading errors before they happen.
>>>>> Find and fix more than 250 security defects in the development cycle.
>>>>> Locate bottlenecks in serial and parallel code that limit performance.
>>>>> http://p.sf.net/sfu/intel-dev2devfeb
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>>>> Pinpoint memory and threading errors before they happen.
>>>> Find and fix more than 250 security defects in the development cycle.
>>>> Locate bottlenecks in serial and parallel code that limit performance.
>>>> http://p.sf.net/sfu/intel-dev2devfeb
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Joel Esler
> jesler () sourcefire.com
> http://blog.snort.org && http://blog.clamav.net
>
>




More information about the Snort-users mailing list