[Cialug] Snort in a switched network
Jeff Davis
jeff at dynamictelecard.com
Tue Dec 6 11:24:21 CST 2005
I want to deploy an old box as a dedicated Snort machine.
I'm looking at ways to do that properly in a switched environment.
- Network Taps are expensive.
- Multispeed hubs (e.g. 10/100) are really a switch with a small ARP cache.
Although it should still work, perhaps someone has done this and would
be willing to share their experience.
- SPAN / Port Mirroring / Roving Analysis, etc.
The 3com switches I have are capable of SPAN, but I'm a little concerned
about degrading the performance of the switch with this approach.
If anyone has tried this approach I'd really like to know.
-Jeff
More information about the Cialug
mailing list