[Snort-users] Configuring Cisco switches...

Bryan Childs bryan.childs at ...3120...
Fri Sep 21 08:26:06 EDT 2001


Muchos grassy arse everyone - we've turned the port mirroring on - and we're
away....

Did anyone ever tell you how great you all are ? :)

Bry

> -----Original Message-----
> From: Bob Staaf [mailto:rstaaf at ...1457...]
> Sent: 21 September 2001 15:38
> To: Bryan Childs; 'Erek Adams'
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Configuring Cisco switches...
> 
> 
> Bryan,
> 
>      If he is so set against hubs his only other choice is to 
> set up the
> network monitoring port using span on the switch.  I don't 
> see any other way
> to do it without putting snort on every box you want to monitor.
> 
> Bob
> 
> ----- Original Message -----
> From: "Bryan Childs" <bryan.childs at ...3120...>
> To: "'Erek Adams'" <erek at ...577...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Friday, September 21, 2001 10:21 AM
> Subject: RE: [Snort-users] Configuring Cisco switches...
> 
> 
> > Ok - after talking to my net admin chappy - he has another 
> question, and I
> > quote :
> >
> > "it would be better to ask of the best way to set up an 
> ethernet network
> to
> > optimise your chances of capturing information whilst 
> maintaining high
> > performance switched networks"
> >
> > and he said to ignore any smart arses that suggested going 
> back to using
> > hubs :)
> >
> > Well ?
> >
> > Anyone got any good advice on this...
> >
> > On the face of it - turning on the port mirroring on the 
> switch sounds
> like
> > it will do the job - but will anything suffer noticeably 
> after we've done
> > it? (Apart from the snort box, we're expecting that!)
> >
> > Bry
> >
> >
> > > -----Original Message-----
> > > From: Erek Adams [mailto:erek at ...577...]
> > > Sent: 21 September 2001 15:15
> > > To: Bryan Childs
> > > Cc: 'snort-users at lists.sourceforge.net'
> > > Subject: Re: [Snort-users] Configuring Cisco switches...
> > >
> > >
> > > On Fri, 21 Sep 2001, Bryan Childs wrote:
> > >
> > > > Hi everyone - this question has probably been done to
> > > death, but my google
> > > > searching for answers has amounted to nought - so I'm going
> > > to have to ask
> > > > it again I'm afraid!
> > >
> > > It's Ok, we'll just give you lashes with a wet noodle.  ;-)
> > >
> > > > The network here in my building is of course suffering from
> > > the recent Nimda
> > > > virus/worm breakout, and we're trying to track infected
> > > boxes with snort.
> > > >
> > > > The entire network here is running on switched ethernet,
> > > which is giving us
> > > > a bit of a headache. Most of the switches are dumb 3Com
> > > supplied ones, but
> > > > we've been sensible enough (we think) to plug out snort box
> > > into the Cisco
> > > > one which sits at the top of the network.
> > > >
> > > > The trouble is that we *still* don't seem to be able to
> > > monitor attacks
> > > > which don't directly go for the snort box itself.
> > > >
> > > > The card is set up in promiscuous mode as it should be -
> > > but we think we
> > > > need to do something to the switch to make sure it sees ALL
> > > our internal
> > > > network traffic.
> > > >
> > > > Does anyone know what we might have missed? Or have any
> > > suggestions at all?
> > >
> > > Yeppers...
> > >
> > > http://snort.sourcefire.com/docs/faq.html#1.8
> > >
> > > Now, your Cisco _should_ be able to do that.  If you don't
> > > know talk with your
> > > local netoworking geek.  Bribe him with some wire ties or 
> something...
> > >
> > > > Cheers amigos......
> > >
> > > Oh, you're bringing the beer?  Great!  Bring some Shinerbock.  :)
> > >
> > > -----
> > > Erek Adams
> > > Nifty-Type-Guy
> > > TheAdamsFamily.Net
> > >
> >
> >
> > ********
> >
> > Mercator - find out more at http://www.mercator.com
> >
> > The information in this email is confidential and is 
> intended solely for
> the addressee(s). Access to this email by anyone else is 
> unauthorised.  If
> you are not an intended recipient, you must not read, use or 
> disseminate the
> information contained in the email.
> > Any views expressed in this message are those of the 
> individual sender,
> except where the sender specifically states them to be the 
> views of Mercator
> Software Ltd.
> > Email to and from Mercator may be monitored.
> >
> > ********
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 




More information about the Snort-users mailing list