Re: [Snort-users] Port Aggregator Tap alternatives for snort sensor

--===============0283739058==
Content-Type: multipart/alternative;
boundary="----=_Part_7851_27887714.1204591185275"

------=_Part_7851_27887714.1204591185275
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Is the same sensor to analyze the multiple taps? You may define multiple
source interfaces or VLANs in the same monitoring session.

monitor session 1 source interface fa0/1,fa0/2,fa03

Andrew


On Mon, Mar 3, 2008 at 4:55 PM, Stephen Reese <rsreese@gmail.com> wrote:

> I've been using a Cisco 2950 for single tap I have setup and it has
> worked fine to date.
>
> !
> interface FastEthernet0/1
> switchport access vlan 100
> duplex full
> !
> interface FastEthernet0/2
> switchport access vlan 100
> duplex full
> !
> !
> monitor session 1 source interface Fa0/1
> monitor session 1 destination interface Fa0/3
>
> Port one is the internet source, port two is to my routing device and
> three is to my sensor.
>
> I would like to setup some more taps without having to run more
> switches. An alternative is to purchase a tap still (around $300) or
> making one from scratch
> (http://www.altsec.info/passive-network-tap.html) but I would prefer
> not to have to deal with bonding interfaces. I was considering another
> 2950 switch (still cost around $250 used) but I figure there has got
> to be a better solution? A port aggregator seems to be out of the
> question since they seem to run around $1000...
>
> Any recommendations? Thanks.
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.p...st=snort-users
>

------=_Part_7851_27887714.1204591185275
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Is the same sensor to analyze the multiple taps? You may define multiple source interfaces or VLANs in the same monitoring session.<br><br>monitor session 1 source interface fa0/1,fa0/2,fa03<br><br>Andrew<br><br><br><div class="gmail_quote">
On Mon, Mar 3, 2008 at 4:55 PM, Stephen Reese &lt;<a href="mailto:rsreese@gmail.com">rsreese@gmail.com</a>&gt; wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I've been using a Cisco 2950 for single tap I have setup and it has<br>
worked fine to date.<br>
<br>
!<br>
interface FastEthernet0/1<br>
&nbsp;switchport access vlan 100<br>
&nbsp;duplex full<br>
!<br>
interface FastEthernet0/2<br>
&nbsp;switchport access vlan 100<br>
&nbsp;duplex full<br>
!<br>
!<br>
monitor session 1 source interface Fa0/1<br>
monitor session 1 destination interface Fa0/3<br>
<br>
Port one is the internet source, port two is to my routing device and<br>
three is to my sensor.<br>
<br>
I would like to setup some more taps without having to run more<br>
switches. An alternative is to purchase a tap still (around $300) or<br>
making one from scratch<br>
(<a href="http://www.altsec.info/passive-network-tap.html" target="_blank">http://www.altsec.info/passive-network-tap.html</a>) but I would prefer<br>
not to have to deal with bonding interfaces. I was considering another<br>
2950 switch (still cost around $250 used) but I figure there has got<br>
to be a better solution? A port aggregator seems to be out of the<br>
question since they seem to run around $1000...<br>
<br>
Any recommendations? Thanks.<br>
<br>
-------------------------------------------------------------------------<br>
This SF.net email is sponsored by: Microsoft<br>
Defy all challenges. Microsoft(R) Visual Studio 2008.<br>
<a href="http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/" target="_blank">http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/</a><br>
_______________________________________________<br >
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users<br>
Snort-users</a> list archive:<br>
<a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users" target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br>
</blockquote></div><br>

------=_Part_7851_27887714.1204591185275--


--===============0283739058==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
--===============0283739058==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
--===============0283739058==--