[Snort-users] Linux and switch problem???

twig les twigles at ...131...
Fri Jul 19 10:07:11 EDT 2002


K, I don't know Extreme, but check this out before
migrating to the 2912:

http://www.cisco.com/warp/public/473/41.html#archXL

As for the snort box doing any voodoo, I don't buy it.
 If there's a problem then it's on the switch and
simply putting the switch config back to pre-slowdown
config and seeing if the problem goes away should do
it.


--- Daniel Curry <dcurry at ...5551...> wrote:
> Twig,
>   Thank you for your help. Here are teh answers 
> to your questions?
> 
> 
> twig les wrote:
> > 
> > What kind of switch? 
>  Extreme summit 48
>  We will be installing onto a Cisco 2912.
> > What did you change in the sewitch config for this
> project? 
> Mirror port
> 
> > What else is the Linux box doing?
> Just running snort.
> 
> > Simply putting an interface into
> > promiscious mode can't affect a switch.  If you've
> > spanned a Cisco 29xx or 35xx, then you may be in
> > trouble, but make sure you aren't being
> scapegoated.
> > That's happened to me before ("Your sniffer is
> slowing
> > the network down!!" <huh?>)
> > 
> > --- Daniel Curry <dcurry at ...5551...> wrote:
> > >
> > >      I have configure my eth1 as following.
> > > eth1      Link encap:Ethernet  HWaddr
> > > 00:50:8B:E3:99:7C
> > >           UP BROADCAST RUNNING PROMISC MULTICAST
> > > MTU:1500  Metric:1
> > >           RX packets:0 errors:0 dropped:0
> overruns:0
> > > frame:0
> > >           TX packets:0 errors:0 dropped:0
> overruns:0
> > > carrier:0
> > >           collisions:0 txqueuelen:100
> > >           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
> > >           Interrupt:11 Base address:0xc000
> > >
> > >
> > > However I am getting reports from our network
> folks
> > > that "this is
> > > bringing the switch down?"
> > >
> > >
> > >   My ifcg-eth1 file looks like this.
> > > DEVICE=eth1
> > > BOOTPROTO=static
> > > ONBOOT=yes
> > >
> > >  Is there anything wrong with my configuration?
> > >
> > > Please reply directly. I received snort email
> via
> > > "digest" mode.
> > >
> > > Thank you.
> > > --
> > > Daniel Curry
> > > PGP AD5A 96DC 7556 A020 B8E7  0E4D 5D5E 9BA5
> C83E
> > 8C92> begin:vcard
> > > n:Curry;Daniel
> > > tel;fax:650-232-3200
> > > tel;work:650-232-4006
> > > x-mozilla-html:FALSE
> > > url:www.corio.com
> > > org:Corio Inc
> > > adr:;;959 Skyway Road  Suite 100;San
> > > Carlos;California;94070;USA
> > > version:2.1
> > > email;internet:dcurry at ...5551...
> > > title:Sr. Information Security Eng.
> > > x-mozilla-cpt:;-5312
> > > fn:Daniel Curry
> > > end:vcard
> > >
> > 
> > =====
> >
>
-----------------------------------------------------------
> > All warfare is based on deception.
> >
>
-----------------------------------------------------------
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Autos - Get free new car price quotes
> > http://autos.yahoo.com
> 
> -- 
> Daniel Curry
> DIRECT 650-232-4006
> FAX 650-232-3200
> PGP AD5A 96DC 7556 A020 B8E7  0E4D 5D5E 9BA5 C83E
8C92> begin:vcard 
> n:Curry;Daniel
> tel;fax:650-232-3200
> tel;work:650-232-4006
> x-mozilla-html:FALSE
> url:www.corio.com
> org:Corio Inc
> adr:;;959 Skyway Road  Suite 100;San
> Carlos;California;94070;USA
> version:2.1
> email;internet:dcurry at ...5551...
> title:Sr. Information Security Eng.
> x-mozilla-cpt:;-5312
> fn:Daniel Curry
> end:vcard
> 


=====
-----------------------------------------------------------
All warfare is based on deception.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com




More information about the Snort-users mailing list