OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mayers, Philip J (p.mayersic.ac.uk)
Date: Wed Jun 06 2001 - 04:39:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I *have* to correct this (mainly because it's totally incorrect :o) - on
    most good switches, the uplink port is usually just a faster port (100 as
    opposed to 10, 1gig as opposed to 100) and it works just like any other
    switch port - only traffic for the MAC addresses specified goes out of it.

    You can nominate uplink ports as "all unknown" on some switches, which will
    turn off MAC learning on the uplink port and then send all unknown traffic
    out that port, but that won't work here - the MAC address of the snorted
    boxen will be learnt on whatever port you plug into, or not if it's the
    uplink port but then it won't be forwarded.

    The best bet with switches is to use a real monitor port, or put static MAC
    address entries for the monitored boxen on multiple ports - we used to use
    the latter, but we're on a span port now for ease of configuration.

    Regards,
    Phil

    +----------------------------------+
    | Phil Mayers, Network Support |
    | Centre for Computing Services |
    | Imperial College |
    +----------------------------------+

    -----Original Message-----
    From: Mike Johnson [mailto:mikeenoch.org]
    Sent: 06 June 2001 02:33
    To: snort-userslists.sourceforge.net
    Subject: Re: [Snort-users] Hub not a hub

    Just to chime in on this topic, remember that anything with an
    uplink port will repeat all traffic through that port. So, any
    traffic that goes through any of the ports will be repeated
    through that port, switch or no. So, plug your snort box in
    there, and you'll get to see all your traffic.

    Er, at least, in my experience. Gotta have the disclaimer.

    Mike 

    -- 
If at first you don't succeed, destroy all evidence that you tried --
unknown

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users