snort-users May 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: [Snort-users] SPAN groups and network taps

[Snort-users] SPAN groups and network taps

From: Jefferson, Shawn <Shawn.Jefferson_at_nospam>
Date: Wed May 20 2009 - 22:31:41 GMT
To: "" <>


I'm currently using Snort with a SPAN group on a Cisco 6500 switch to one port, and I'm contemplating whether or not this is sufficient.

For those cisco experts out there, what's the limitation regarding egress mirroring on the 6500? Is it 1 per switch, or 1 per port span group? I've got 4 main ports I want to mirror all the traffic to inspect with snort, and ideally I'd like to see BOTH directions of all traffic. I'm also capturing all traffic with Daemonlogger on the snort boxes and keeping that around a week or so to help with incident response. I'd like to see both sides of the traffic there too.

Any suggestions for network taps? I guess depending on the answer to my question above, it will dictate how I approach the network tap configuration, or maybe multiple NICs on the snort machine itself and still utilize SPAN ports/groups.

The taps at seem interesting...


Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship.

Snort-users mailing list
Go to this URL to change user options or unsubscribe: Snort-users list archive: