[Snort-users] how to use snort in a switched environment

Carlos Felix snort at ...8664...
Wed May 14 08:23:13 EDT 2003


Ok Jeremy, you are almost there.
Since you are able to get to

Switch#

that means that you are already in enable mode, had the prompt been

Switch>

you would have to type in

enable

to get to the "Switch#" prompt. Now that you are in enabled mode you need
to type in

configure terminal

then type in the following commands, keep in mind that you will need to
change <PORTS TO MONITOR> to the ports that you wanto to monitor so if you
want to monitor ports 1-22 then you would replace <PORTS TO MONITOR> with
F1-22

interface f23
port monitor <PORTS TO MONITOR>
exit
exit

Carlos

Jeremy Rodriguez said:
> I am new to these switches so please bear with me here.
> I have the telnet prompt, after password, then I have the prompt
>
> switch#
>
> Now what?
> I will be using my own PC to run snort, it is located on port 23. There
> are
> two switches above it that are connected thru uplink. I want to monitor
> web
> activity and do NIDS. Again I need baby steps ;)
> Thanks in Advance,
> Jeremy
>
> -----Original Message-----
> From: Carlos Felix [mailto:snort at ...8664...]
> Sent: Wednesday, May 14, 2003 10:15 AM
> To: Jeremy Rodriguez
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] how to use snort in a switched environment
>
>
> Jeremy,
>
> you have an excellent switch for monitoring your network with snort (it’s
> the same one I use in several sites). All you have to do is connect a
> system to the console of your switch and configure the port that the Snort
> system is connected into to SPAN what ever ports you are wanting to
> monitor. Example lets say that your snort system is connected to port 24
> and you want to monitor ports 1, 2, 3 and 5.
> Go to an enable prompt, then enter the configuration mode, then issue the
> following commands:
>
> Interface f24
> Port monitor f1-3 , f5
> Exit
> Exit
>
>
> That is it. All the traffic from those ports will be replicated to port
> 24. You can monitor as many/few ports as you like.
>
> Carlos
>
>
> Jeremy Rodriguez said:
>> From snort DOCS:
>> Q: I'm on a switched network, can I still use Snort?
>>
>> A: Being able to sniff on a switched network depends on what type of
>>    switch is being used.  If the switch can mirror traffic, then set
>>    the switch to mirror all traffic to the snort machine's port.
>>
>> My question is that I have a Cisco WS-C2924-XL and I was wondering if
>> anyone
>> has used snort and these switches successfully.
>>
>>
>> The only other way I have found is:
>>
>> INET
>>      |
>> ROUTER
>>      |
>>  HUB --------- SNORT
>>      |
>> SWITCH
>>      |
>> COMPANY
>>
>>
>>
>>
>> -------------------------------------------------------
>> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
>> The only event dedicated to issues related to Linux enterprise solutions
>> www.enterpriselinuxforum.com
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>





More information about the Snort-users mailing list