Hey Nigel, what do you mean by full portscanning? It's possible to
monitor switch port traffic but bandwidth is an issue. For instance: if
I configure 2 100Mbit/Full Duplex ports to be mirrored onto a single
100Mbit/Full Duplex port, there's no way that single port could listen
to 200Mbit/Full duplex. Differences in switching hardware will let you
be flexible with how you deal with these scenarios, but I tend to have
dedicated NICs on my IDS for each port I monitor. That way I have
bandwidth (to the IDS box) for every bit transmitted. I place my IDS at
the choke points (mirror traffic from routers and FWs to IDS). Can you
elaborate on what you meant?
<orig>
From: Hedges, Nigel
...
CISCO switch? Enable full portscanning on the port in which your SNORT
machine is hooked up through. Talk to whoever is your router/switch guru
about this, (s)he should be able to configure this with no probs.
...
<orig>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
