SNORT and mirroring port?

kendalle01 — Fri, 21 Feb 2020 08:22:54 GMT

I have a 4507R switch with multiple VLANS or subnets. I've installed SNORT on a test machine I have but it doesn't pick up anything outside of it's subnet. According to the documentation I read I won't be able to see all the traffic on the switch and need to mirror a port. Anyone with experience using SNORT with a switched network?

Re: SNORT and mirroring port?

mostiguy — Fri, 09 Sep 2005 15:30:04 GMT

Yes. You need to figure out what ports contain the traffic you want to view, and also how much data that might be. I knew that a fast ethernet port connecting to a PIX would contain all the data entering and exiting our network, so that is the port I mirrored for snort to monitor. I was mostly interested in monitoring the traffic entering and exiting our network.

I am not sure how well snort deals with vlan tags - you might need to ensure that snort is only getting non tagged packets.

topic Re: SNORT and mirroring port? in Network Security

SNORT and mirroring port?

Re: SNORT and mirroring port?