[Snort-users] how to use snort in a switched environment

Carlos Felix snort at ...8664...
Wed May 14 08:23:13 EDT 2003

Ok Jeremy, you are almost there.
Since you are able to get to


that means that you are already in enable mode, had the prompt been


you would have to type in


to get to the "Switch#" prompt. Now that you are in enabled mode you need
to type in

configure terminal

then type in the following commands, keep in mind that you will need to
change <PORTS TO MONITOR> to the ports that you wanto to monitor so if you
want to monitor ports 1-22 then you would replace <PORTS TO MONITOR> with

interface f23
port monitor <PORTS TO MONITOR>


Jeremy Rodriguez said:
> I am new to these switches so please bear with me here.
> I have the telnet prompt, after password, then I have the prompt
> switch#
> Now what?
> I will be using my own PC to run snort, it is located on port 23. There
> are
> two switches above it that are connected thru uplink. I want to monitor
> web
> activity and do NIDS. Again I need baby steps ;)
> Thanks in Advance,
> Jeremy
> -----Original Message-----
> From: Carlos Felix [mailto:snort at ...8664...]
> Sent: Wednesday, May 14, 2003 10:15 AM
> To: Jeremy Rodriguez
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] how to use snort in a switched environment
> Jeremy,
> you have an excellent switch for monitoring your network with snort (it’s
> the same one I use in several sites). All you have to do is connect a
> system to the console of your switch and configure the port that the Snort
> system is connected into to SPAN what ever ports you are wanting to
> monitor. Example lets say that your snort system is connected to port 24
> and you want to monitor ports 1, 2, 3 and 5.
> Go to an enable prompt, then enter the configuration mode, then issue the
> following commands:
> Interface f24
> Port monitor f1-3 , f5
> Exit
> Exit
> That is it. All the traffic from those ports will be replicated to port
> 24. You can monitor as many/few ports as you like.
> Carlos
> Jeremy Rodriguez said:
>> From snort DOCS:
>> Q: I'm on a switched network, can I still use Snort?
>> A: Being able to sniff on a switched network depends on what type of
>>    switch is being used.  If the switch can mirror traffic, then set
>>    the switch to mirror all traffic to the snort machine's port.
>> My question is that I have a Cisco WS-C2924-XL and I was wondering if
>> anyone
>> has used snort and these switches successfully.
>> The only other way I have found is:
>>      |
>>      |
>>  HUB --------- SNORT
>>      |
>>      |
>> -------------------------------------------------------
>> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
>> The only event dedicated to issues related to Linux enterprise solutions
>> www.enterpriselinuxforum.com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list