In This Article
A SPAN (Switched Port Analyzer) configuration, also commonly known as port mirroring, is a configuration option for network switches that makes the switch copy any traffic going through one or more ports on the switch to a destination port for traffic inspection by external tools.
This article describes SPAN configurations in detail and provides information on how to confirm that your configuration is working and that your traffic is being seen by Alert Logic® Threat Manager™.
Port mirroring via SPAN configurations are used largely in physical network environments and are sometimes used in virtual environments.
Network intrusion detection systems such as Threat Manager need to be able to inspect customer network traffic in order to successfully perform their functions. Using a SPAN configuration is a great way to accomplish these requirements.
An alternative to port mirroring for capturing and inspecting traffic is the use of a host-based software agent. Threat Manager supports both port mirroring and agent-based traffic capturing.
The specifics for configuring SPANs varies based on the switch vendor, the network environment, and what traffic needs to be mirrored. You can find details on how to configure your SPAN by consulting the switch vendor's documentation.
Once you have configured your SPAN and the port is connected to a network interface on a Threat Manager appliance, you will need to specify the networks you wish to monitor within the Alert Logic console. By default, no networks are monitored. Refer to the Threat Manager Detection - Networks documentation for information on creating and specifying your networks.
Once you have configured your networks in the Alert Logic console, Threat Manager will begin inspecting your traffic for threats. If threats are found, events and incidents will be generated, which will indicate the characteristics of the threat. In production networks with normal amounts of activity, threats will often be detected within hours or minutes of Threat Manager and the SPAN being configured.
Environments that see little activity or are strongly hardened against threats, however, could go days without detected threats. In these cases, it may not be obvious that your SPAN configuration is working successfully. One solution for this concern is intentionally generating activity in the environment that will be detected as threat activity. The activity will result in events and incidents being generated and displayed in the Alert Logic console. Refer to the Generate Test Threat Events and Incidents | How To knowledge base article for details.