FW: [Snort-users] Cisco switch configuration for sensor

gr8dane2 at ...163... gr8dane2 at ...163...
Thu Jan 16 10:50:07 EST 2003

Thanks, Kevin, for clarifying that for me.  I turned off the tree-spanning and left on the port monitoring.  For some reason I was under the impression that I needed tree-spanning on for it to work (I knew I shoulda taked those Cisco courses).  

Also, thank you Twig Les for your responses!

Dane Howard
> From: "kevin reynolds" <kevinreynolds2525 at ...125...>
> Date: 2003/01/16 Thu PM 12:24:20 EST
> To: gr8dane2 at ...163...,  snort-users at lists.sourceforge.net
> Subject: Re: FW: [Snort-users] Cisco switch configuration for sensor
> Dane,
> If you have enabled spanning tree protocol under the assumption that it will 
> allow the sensor to view copies off all traffic between the DSL router and 
> the firewall, you are incorrect.  STP is used to provide a loop free 
> switching path when multiple switches share VLANs.  You will need to set up 
> a SPAN (switch port analyzer) session directing all traffic observed on 
> ports 1x and Bx to port Ax.  But you could make the switches life some what 
> easier and send all traffic observed on just one of the ports to the IDS 
> (just make sure you do it bi-derectionally).
> Kevin
> >-----Original Message-----
> >From: gr8dane2 at ...163... [mailto:gr8dane2 at ...163...]
> >Sent: Thursday, January 16, 2003 11:32 AM
> >To: snort-users at lists.sourceforge.net
> >Subject: [Snort-users] Cisco switch configuration for sensor
> >
> >
> >Ok, I checked the Cisco sites and believe I have this setup properly.  I
> >just wanted to run it past the Snort gurus for confirmation before I hook 
> >it
> >up.  I am using a Cisco 1900 series switch that has 12 10baseT ports
> >(1x-12x) and 2 100baseTX ports (Ax and Bx).  I have a DSL router that is
> >10baseT (plugged into port 1x), snort sensor with a 10/100 NIC (port Ax) 
> >and
> >a firewall with 10/100 NIC (port Bx).  I have enabled the Spanning-Tree
> >protocal. I have setup port Ax to monitor 1x and Bx.  Then I disabled the
> >web interface, of course.  I am using the modified patch cable that will
> >only allow inbound traffic on the sensor, a cross-over cable on the router,
> >and a regular patch cable for the firewall.  The sensor has a public NIC
> >with no bindings and a private NIC with local TCP/IP settings that connects
> >back to the LAN behind the firewall, so it can report to MySQL server.
> >Anyone see anything wrong with this before I hook it up?  As always, keep 
> >up
> >the great work!  You all are very helpful.
> >
> >Sincerely,
> >Dane Howard
> >
> >
> >
> >-------------------------------------------------------
> >This SF.NET email is sponsored by: Thawte.com
> >Understand how to protect your customers personal information by
> >implementing
> >SSL on your Apache Web Server. Click here to get our FREE Thawte Apache
> >Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en
> >_______________________________________________
> >Snort-users mailing list
> >Snort-users at lists.sourceforge.net
> >Go to this URL to change user options or unsubscribe:
> >https://lists.sourceforge.net/lists/listinfo/snort-users
> >Snort-users list archive:
> >http://www.geocrawler.com/redir-sf.php3?list=snort-users
> _________________________________________________________________
> Help STOP SPAM: Try the new MSN 8 and get 2 months FREE* 
> http://join.msn.com/?page=features/junkmail

More information about the Snort-users mailing list