[Cialug] Snort in a switched network

Jeff Davis jeff at dynamictelecard.com
Tue Dec 6 12:00:46 CST 2005



Jerry Heiselman wrote:
> We have run SPAN on smaller switches (2900s and 2950s) without too much
> degradation in the performance.  it just depends on how much traffic we
> are talking about.

The one I want to do this with is a 3com superstack II 3300xm.
I think I could get away with only mirroring the one port that
uplinks to my router and T1.  If so then I'm only looking at 1.5M.
Hmmm... that might not be the performance hit that I was anticipating.
(Although I was previously thinking I'd need to mirror about 6 ports.)


#------ Side note -------
I hesitate to ask these types of questions on the LUG list.
I know there are others on the list that deal with such issues,
but I don't want some newbie who just subscribed to get hit
with such a thread and think they don't belong.
I was mentioning to Dave W. at the last LUG meeting
about the possibility of a DM area SAGE-like group/list.
Mostly intended for contractors and people in small IT shops
who would appreciate the opportunity to discuss things.
Personally, the last think I need is another monthly meeting to attend.
Although a mailing list might fly.
















More information about the Cialug mailing list