[Snort-users] Cisco Catalyst - SNORT

Scott Fringer fringsm at ...5133...
Mon Jun 23 08:11:04 EDT 2003


Actually, depending on the version of code on the 6000 (or 4000/5000 for
that matter) you can set up spans that support two-way traffic. (We use
CatOS not IOS on our 6ks/5ks/4ks).

Check the span syntax on the device and look for the inpkts options, which
allows for traffic to be sent/received as well as mirrored.

While this is a usable solution; it is still better to have a separate NIC
for transport and a separate NIC for monitoring.

Scott

Scott Fringer                              Shands Healthcare @ U.F.
Technical Analyst II                       Gainesville, FL

On Mon, 23 Jun 2003, Javier Liendo wrote:

> hello jose
>
> you'll have to configure the switch port where you are
> plugging the snort device as a "span" port...
>
> pls take a look at the following link to see how you
> can configure it on a 6000 series catalyst switch...
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconfig/span.htm
>
> also in my experience, if you configure a switch port
> as span then you can not pass any management traffic
> through that port so you will have to add another
> network card and plug it to another switch port if you
> want to manage this device remotely...
>
> saludos
>
> javier




More information about the Snort-users mailing list