[ekrengel]

I would like to setup a snort box in my environment...what would be the best way to go about this?

I have read about using a SPAN port on a cisco switch, to have all traffic come through that 1 port that the IDS will monitor...which doesn't sound that great to me, or there is a network TAP which I believe is a separate piece of hardware you would have to buy.

Does anyone have some good examples that have worked well?

[dlaskov]

Hi ekrengel
The way of configuring is:
1. Configure SPAN port mapped on another port connected to server\suspicious machine to check.
2. All traffic is captured by SNORT scanner and analysed (another Linux\Windows Based station with SNORT installed).
3. Frequent checks of status and mail\SMS notification on SNORT to real-time monitor issues.
I think it's not the best way to forward all traffic throw SPAN port, especially in hard-working networks. The best way - to protect valuable information, but if You need complete defense no matter costs - its also possible.
For me it works with IIS WEB-server and mirrored port for all incoming traffic from external users.

[dlaskov]

Maybe this will be helpful:
http://www.cisco.com/warp/public/473/41.html

[ryansmitty]

ekrengel,

SPAN is great if you are on a budget however it has weakness that you should be aware. One of the biggest is that it doesn't scale well. The following link goes into detail on these weakness. Personally I use NetOptic TAPs.

http://www.lovemytool.com/blog/2007/...orts-or-t.html

Ryan