Re: Anyone used SNORT [7:4436]

Tue, 15 May 2001 23:41:09 -0700 

I really don't see any reason why this wouldn't work.  If it's a single
pipe, that'll do, if there's more than one 7206 on your end, you'll need two
nics with snort active on both, or a hub'd setup.  Unless you're looking at
over 40Mb/s sustained, I really don't like running snort on two interfaces
just because I don't see the need, but maybe I'm just odd and don't like
making boxes do things that make me feel icky.  The port monitor will show
you almost everything.. packets that fail CRC will never show up on it,
afaik.

-Brad McConnell.


""Keith Woodworth""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> On Tue, 15 May 2001, Brad McConnell wrote:
>
> |+I do a semi-classical arrangement.  We have two pipes to the net going
to
> |+two different switches.  I use SPAN to send all ingress traffic on the
> |+external router to a port which I plug into a hub.  I then do the same
on
> |+the second pipe, and plug the IDS box running snort into the hub (thus,
all
> |+traffic in both directions can be read off one interface).
>
> I want to do something similar but our main feed comes into a 7202,
> which in turn is connected to a 7206 via xover cable from FE to FE on each
> router. the 7202 is our upstream and dont have access to the CLI. The 7206
> is ours.
>
> What I was thinking was plug the both the 7206 and 7202 into a spare
> 2900XL switch we have then plug my snort box into the switch as well. But
> the 2900 does not have SPAN it has a command similiar called port monitor
> that does the same thing that SPAN does.
>
> Would this work? I would like to be able to use snort to see all our
> incoming traffic destined for our machines this way.
>
> We see avg load of about 6-7 megs/sec inbound about 1.5-2 megs/sec
> outbound.
>
> Thanks,
> Keith
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=4661&t=4436
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to