On Monday 20 May 2002 8:35 pm, Ramin Alidousti wrote: > > Now that you mention it Snort can do that, and checks every packet, which > > is great. It just needs a table of valid MACs/IPs > > > > Unfortunately, here, with over 800 computers, managed via BOOTP on 4 > > different LANs and cisco routers it would require to set up an additional > > linux host with all interfaces to all LANs and update the MAC/IP tables > > every time there is a change to bootptab. Hmm, i think it's a good idea. > > 800 computers on 4 LANs. Hmmm. Follow the logic: > > Plugging the snort box into all these 4 LANs requires that snort > sees all the packets on each LAN, which means that you either have > no switch in each LAN or need to mirror all the traffic to the snort > switch port. Hmmm. Good luck.
No, you just plug each network card on the snort box into a hub connected to the corresponding leg of the router. Then the snort box gets to see all packets to or from another network, and doesn't need to know about packets within a single network which are handled by the switch (or was the problem in this case that one host on a network was flooding another host on the same network ?). Antony.
