>All the IDS does is sniff the traffic and respond if
>necessary. I don't want anything else running on
>the mirrored port.

This is obviously the best solution for an Enterprise
Network. However, I'm sure there are people out there
with DSL/cable-modems/whatever that don't always have the
resources available to do this. For a SOHO, running Snort
on your IPFilter/IPChains OpenBSD box is a valid solution.
 I know this doesn't answer the original question (since
that was in reference to SPANed ports), but I thought I'd
slap my $.002 on the table.

In regards to SPANed ports, I believe it's vendor/switch
dependent as to whether you can communicate out a monitor
port. For instance, if you want to use something like
Sniper (Dragon IDS), you need the ability to transmit out
the sniffing interface. You don't need an IP stack (still
in stealth mode here), but you must be able to transmit.
I've seen this work (on a Baystack switch), but I've also
seen this not work (Extreme, maybe?). Any of you hardcore
Cisco-nuts know this off the top of your heads? Can you
push traffic back out of a 2900 monitor port?

S. festus

Blame is for God and small children.
Dega/"Papillon"

___________________________________________________________________________
Visit http://www.visto.com/info, your free web-based communications center.
Visto.com. Life on the Dot.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]