[Snort-users] Cisco Switch Question

Mike Shaw mshaw at ...3165...
Tue Oct 16 06:50:22 EDT 2001


 From my experience, some cheaper SOHO switches aren't really switches at 
all.  They are hubs that occasionally show some limited switch-like 
characteristics.  Can't really speak for the Linksys, but definitely some 
no-name 'switches' bought from the mom-and-pop places.  I've seen one that 
basically had one bridge-ish cross over port, and they called it a 
switch.  Double check and make sure what you have is an actuall 100% switch.

-Mike

At 07:31 AM 10/16/2001 -0400, Tim Parker wrote:
>One other question that comes to mind, is this just for Cisco equipment? I
>didn't do this at home on the Linksys and it works fine.
>
>-----Original Message-----
>From: Tim Parker [mailto:tparker at ...3825...]
>Sent: Tuesday, October 16, 2001 6:09 AM
>To: snort-users at lists.sourceforge.net
>Subject: RE: [Snort-users] Cisco Switch Question
>
>
>Thanks everyone for the help! I appreciate it.
>
>Tim
>
>
>-----Original Message-----
>From: Chris Schuler [mailto:cschuler at ...2467...]
>Sent: Monday, October 15, 2001 8:17 PM
>To: Tim Parker
>Subject: Re: [Snort-users] Cisco Switch Question
>
>
>you will need to set the port the snort machine is plugged into into a
>monitor port
>en
>conf t
>int f0/#  (#=port #)
>switchport monitor 1-24 (or you can give it a vlan # )
>^z
>wr me
>
>
>this will cause all traffic from the defince ports, or vlan to be mirrored
>to that port..thus letting the snort box see all traffic
>if ya get in trouble do a  '?'
>
>
>
>----- Original Message -----
>From: "Tim Parker" <tparker at ...3825...>
>To: <snort-users at lists.sourceforge.net>
>Sent: Monday, October 15, 2001 8:11 PM
>Subject: [Snort-users] Cisco Switch Question
>
>
> > I just set up an NT monitoring station at home on my small network and I
> > have it plugged into a Linksys 10/100 Switch. At work I have both a
>Mandrake
> > 8.0 system and an NT box with Snort 1.8, these are both plugged into a
>Cisco
> > 2912 on my desk. I am not getting any alerts from the two units at work.
> > What do I need to do differently? I just want them to monitor the subnet
> > they are on now for testing. Eventually (after a learn a bit more!) I am
> > going to be setting up a unit to monitor a DMZ and a web site. Thanks for
> > any pointers.....
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list