FW: [Snort-users] Cisco switch configuration for sensor

kevin reynolds kevinreynolds2525 at ...125...
Sat Jan 18 10:21:06 EST 2003


Dane,

If you have enabled spanning tree protocol under the assumption that it will 
allow the sensor to view copies off all traffic between the DSL router and 
the firewall, you are incorrect.  STP is used to provide a loop free 
switching path when multiple switches share VLANs.  You will need to set up 
a SPAN (switch port analyzer) session directing all traffic observed on 
ports 1x and Bx to port Ax.  But you could make the switches life some what 
easier and send all traffic observed on just one of the ports to the IDS 
(just make sure you do it bi-derectionally).

Kevin



>-----Original Message-----
>From: gr8dane2 at ...163... [mailto:gr8dane2 at ...163...]
>Sent: Thursday, January 16, 2003 11:32 AM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] Cisco switch configuration for sensor
>
>
>Ok, I checked the Cisco sites and believe I have this setup properly.  I
>just wanted to run it past the Snort gurus for confirmation before I hook 
>it
>up.  I am using a Cisco 1900 series switch that has 12 10baseT ports
>(1x-12x) and 2 100baseTX ports (Ax and Bx).  I have a DSL router that is
>10baseT (plugged into port 1x), snort sensor with a 10/100 NIC (port Ax) 
>and
>a firewall with 10/100 NIC (port Bx).  I have enabled the Spanning-Tree
>protocal. I have setup port Ax to monitor 1x and Bx.  Then I disabled the
>web interface, of course.  I am using the modified patch cable that will
>only allow inbound traffic on the sensor, a cross-over cable on the router,
>and a regular patch cable for the firewall.  The sensor has a public NIC
>with no bindings and a private NIC with local TCP/IP settings that connects
>back to the LAN behind the firewall, so it can report to MySQL server.
>Anyone see anything wrong with this before I hook it up?  As always, keep 
>up
>the great work!  You all are very helpful.
>
>Sincerely,
>Dane Howard
>
>
>
>-------------------------------------------------------
>This SF.NET email is sponsored by: Thawte.com
>Understand how to protect your customers personal information by
>implementing
>SSL on your Apache Web Server. Click here to get our FREE Thawte Apache
>Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________________
Help STOP SPAM: Try the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail





More information about the Snort-users mailing list