Snort mailing list archives
Re: Snort multiple sensor configuration
From: "Matt Olney" <molney () sourcefire com>
Date: Thu, 9 Oct 2008 16:21:50 -0400
Bah...I can't stand IOS on Cat switches. Check your port statistics (I don't have a Cisco switch available to me) but look for buffer failures or dropped packets either outbound or inbound. Matt On Thu, Oct 9, 2008 at 4:09 PM, Stephen Reese <rsreese () gmail com> wrote:
Yes! excellent point. This is a very common deployment error. use mrtg or snmp to watch for dropped packets on the switchport that the sensor is plugged into. for example, using a 10/100 port to monitor a switch with 48 ports, I can just about guarantee that snort will drop no packets at all. because it's only going to get one percent or less of the total traffic.I'm using monitor session to monitor the port that the internet and T1 feed into the main network: monitor session 1 source interface Fa0/1 monitor session 1 destination interface Fa0/3 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort multiple sensor configuration Stephen Reese (Oct 08)
- Re: Snort multiple sensor configuration Jack Pepper (Oct 09)
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Message not available
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Message not available
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Re: Snort multiple sensor configuration Joel Esler (Oct 10)
- Re: Snort multiple sensor configuration Stephen Reese (Oct 10)
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Re: Snort multiple sensor configuration Jack Pepper (Oct 09)
- Re: Snort multiple sensor configuration Matt Olney (Oct 09)
- Re: Snort multiple sensor configuration Jack Pepper (Oct 09)
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Re: Snort multiple sensor configuration Matt Olney (Oct 09)