[Snort-users] Cisco Switch Question

sjk sjk at ...3835...
Tue Oct 16 10:28:10 EDT 2001


On the Cisco 2900/3500 SW you have to set a port up as a monitor port --
as I recall -- on the interface set "port monitor vlan 1" one port per
vlan.

--sjk


On Tue, 16 Oct 2001, Mike Shaw wrote:

>  From my experience, some cheaper SOHO switches aren't really switches at
> all.  They are hubs that occasionally show some limited switch-like
> characteristics.  Can't really speak for the Linksys, but definitely some
> no-name 'switches' bought from the mom-and-pop places.  I've seen one that
> basically had one bridge-ish cross over port, and they called it a
> switch.  Double check and make sure what you have is an actuall 100% switch.
>
> -Mike
>
> At 07:31 AM 10/16/2001 -0400, Tim Parker wrote:
> >One other question that comes to mind, is this just for Cisco equipment? I
> >didn't do this at home on the Linksys and it works fine.
> >
> >-----Original Message-----
> >From: Tim Parker [mailto:tparker at ...3825...]
> >Sent: Tuesday, October 16, 2001 6:09 AM
> >To: snort-users at lists.sourceforge.net
> >Subject: RE: [Snort-users] Cisco Switch Question
> >
> >
> >Thanks everyone for the help! I appreciate it.
> >
> >Tim
> >
> >
> >-----Original Message-----
> >From: Chris Schuler [mailto:cschuler at ...2467...]
> >Sent: Monday, October 15, 2001 8:17 PM
> >To: Tim Parker
> >Subject: Re: [Snort-users] Cisco Switch Question
> >
> >
> >you will need to set the port the snort machine is plugged into into a
> >monitor port
> >en
> >conf t
> >int f0/#  (#=port #)
> >switchport monitor 1-24 (or you can give it a vlan # )
> >^z
> >wr me
> >
> >
> >this will cause all traffic from the defince ports, or vlan to be mirrored
> >to that port..thus letting the snort box see all traffic
> >if ya get in trouble do a  '?'
> >
> >
> >
> >----- Original Message -----
> >From: "Tim Parker" <tparker at ...3825...>
> >To: <snort-users at lists.sourceforge.net>
> >Sent: Monday, October 15, 2001 8:11 PM
> >Subject: [Snort-users] Cisco Switch Question
> >
> >
> > > I just set up an NT monitoring station at home on my small network and I
> > > have it plugged into a Linksys 10/100 Switch. At work I have both a
> >Mandrake
> > > 8.0 system and an NT box with Snort 1.8, these are both plugged into a
> >Cisco
> > > 2912 on my desk. I am not getting any alerts from the two units at work.
> > > What do I need to do differently? I just want them to monitor the subnet
> > > they are on now for testing. Eventually (after a learn a bit more!) I am
> > > going to be setting up a unit to monitor a DMZ and a web site. Thanks for
> > > any pointers.....
> > >
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list