[Snort-users] Configuring Cisco switches...

George D. Nincehelser george at ...2905...
Fri Sep 21 08:35:04 EDT 2001

Might a better tactic be to scan your internal networks periodically for infected or vulnerable machines and then fix or patch them?

Looking for internal infected machines via snort may be too late, especially consideirng that I've seen several recommendations that Nimda infected boxes be totally rebuilt :(

  ----- Original Message ----- 
  From: Bryan Childs 
  To: 'snort-users at lists.sourceforge.net' 
  Sent: Friday, September 21, 2001 8:59 AM
  Subject: [Snort-users] Configuring Cisco switches...

  [Also posted to the Snort forums]

  Hi everyone - this question has probably been done to death, but my google searching for answers has amounted to nought - so I'm going to have to ask it again I'm afraid! 

  The network here in my building is of course suffering from the recent Nimda virus/worm breakout, and we're trying to track infected boxes with snort.

  The entire network here is running on switched ethernet, which is giving us a bit of a headache. Most of the switches are dumb 3Com supplied ones, but we've been sensible enough (we think) to plug out snort box into the Cisco one which sits at the top of the network.

  The trouble is that we *still* don't seem to be able to monitor attacks which don't directly go for the snort box itself.

  The card is set up in promiscuous mode as it should be - but we think we need to do something to the switch to make sure it sees ALL our internal network traffic.

  Does anyone know what we might have missed? Or have any suggestions at all?

  Cheers amigos......



  Mercator - find out more at http://www.mercator.com

  The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, you must not read, use or disseminate the information contained in the email. 
  Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Mercator Software Ltd.
  Email to and from Mercator may be monitored.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010921/73a3be6d/attachment.html>

More information about the Snort-users mailing list