[Snort-users] switch port as network tap?

Jason Brvenik jasonb at ...1935...
Tue Feb 15 16:59:58 EST 2011


I think things get a lot more difficult when you are looking for a
blind recommendation.

- When you say ID of up to 6 networks what does that mean?
- When you say span on each network combined, does that mean a feed
from 6 different switched combining into one span?
- What is the utilization of those links?

There are a lot of questions that come out the question, and what the
tap vendors excel at handling and recommending. We are more than happy
to help and make a recommendation but it is going to involve a bit of
Q&A and the result may well be more difficult than just getting an
aggregation tap.

Your other option, and one that might be simpler to get going with but
more work to maintain, would be to use a sensor with 6 monitoring
interfaces.

On Tue, Feb 15, 2011 at 11:23 AM, John Williams
<john.b.williams at ...11827...> wrote:
> Excellent.
>
> Can anyone recommend a make/model of VLAN switch for this purpose, for
> ID of up to 6 networks, with a span port on each network combined to a
> single port for SNORT to listen on
>
> Thanks!
>
>
> On Tue, Feb 15, 2011 at 11:04 AM, Joel Esler <jesler at ...1935...> wrote:
>> Hubs are only half duplex.  If you care.
>>
>> 1)  Yes you can span multiple ports to a single port and have Snort listen on that single port.  Depending on the switch.  Some switches can only do one port to one port spanning, some can only have two spans per switch, etc.  Look at the limitations.
>>
>> 2)  Look into PulledPork.
>>
>> http://www.snort.org/snort-downloads/additional-downloads#pulledpork
>>
>> Joel
>>
>> On Feb 15, 2011, at 10:54 AM, John Williams wrote:
>>
>>> Thanks Agus & Gravy
>>>
>>> Gravy,  I think you answered my next questions which is,  can I
>>> combine the SPAN (network tap) ports into a single VLAN to feed SNORT?
>>> Your suggestion that a network hub will work seems to indicate the
>>> answer is yes.
>>>
>>>
>>>
>>> On Tue, Feb 15, 2011 at 10:49 AM, GravyFace <gravyface at ...11827...> wrote:
>>>> Also a network hub will work, if you have one laying around.
>>>>
>>>> On Tue, Feb 15, 2011 at 10:38 AM, Agus <agus.262 at ...11827...> wrote:
>>>>> Hi John,
>>>>>
>>>>> 1) You can easily use a switch port SPAN. You would have to be careful
>>>>> with which ports you mirror and traffic cause they could saturate and
>>>>> create load on the switch probably.
>>>>>
>>>>> 2) Pulledpork and oinkmaster
>>>>>
>>>>> Cheers
>>>>>
>>>>> 2011/2/15 John Williams <john.b.williams at ...11827...>:
>>>>>> I need to get a SNORT system up and running quickly and have a couple questions:
>>>>>>
>>>>>> 1) Network taps seem very expensive. Possible stupid question:  Is
>>>>>> there a reason why one couldn't use a "sniffer" (i.e. read-only) port
>>>>>> on a a Ethernet VLAN switch rather a Network Tap?  Doesn't it do the
>>>>>> same thing?
>>>>>>
>>>>>> 2) Is there an automated processes for updating the latest signatures?
>>>>>>
>>>>>> Thank you!
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>>>>>> Pinpoint memory and threading errors before they happen.
>>>>>> Find and fix more than 250 security defects in the development cycle.
>>>>>> Locate bottlenecks in serial and parallel code that limit performance.
>>>>>> http://p.sf.net/sfu/intel-dev2devfeb
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>>>>> Pinpoint memory and threading errors before they happen.
>>>>> Find and fix more than 250 security defects in the development cycle.
>>>>> Locate bottlenecks in serial and parallel code that limit performance.
>>>>> http://p.sf.net/sfu/intel-dev2devfeb
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>>> Pinpoint memory and threading errors before they happen.
>>> Find and fix more than 250 security defects in the development cycle.
>>> Locate bottlenecks in serial and parallel code that limit performance.
>>> http://p.sf.net/sfu/intel-dev2devfeb
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> --
>> Joel Esler
>> jesler () sourcefire.com
>> http://blog.snort.org && http://blog.clamav.net
>>
>>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Regards,

Jason.




More information about the Snort-users mailing list