[Snort-users] Pass data thru Cisco Switch?

Jason security at ...5028...
Thu Jul 15 15:09:11 EDT 2004


dbs wrote:

>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> If you are running IOS you can monitor by interface or by VLAN.  On
> the interface the IDS is plugged into execute this command, "port
> monitor ?" too see the available options.  From my experience you can
> select multiple interfaces to monitor if they are on the same VLAN,
> but in this case I would just monitor by VLAN.  For the most part a
> Cisco 2900 running IOS has very limited monitoring capabilities as
> the 'monitor to' interface and 'monitor from' interface have to be on
> the same VLAN.  

Hmmmm, I differ...

the-switch>sho ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(9)EA1, RELEASE 
SOFTWARE )
[...]


the-switch>sho span

VLAN0003
[...]

Interface        Port ID                     Designated 
Port ID
Name             Prio.Nbr      Cost Sts      Cost Bridge ID 
Prio.Nbr
---------------- -------- --------- --- --------- -------------------- 
--------
Fa0/3            128.3           19 FWD         0 32771 000a.8ab5.9500 128.3
Fa0/4            128.4           19 FWD         0 32771 000a.8ab5.9500 128.4
[...]


VLAN0192
[...]

Interface        Port ID                     Designated 
Port ID
Name             Prio.Nbr      Cost Sts      Cost Bridge ID 
Prio.Nbr
---------------- -------- --------- --- --------- -------------------- 
--------
Fa0/17           128.17          19 FWD         0 32960 000a.8ab5.9500 
128.17
Fa0/18           128.18          19 FWD         0 32960 000a.8ab5.9500 
128.18
[...]

the-switch>sho monitor
Session 1
---------
Source Ports:
     RX Only:       None
     TX Only:       None
     Both:          Fa0/3-22
Destination Ports: Fa0/24

[...]

the-switch#wri t
[...]
monitor session 1 source interface Fa0/3 - 22
monitor session 1 destination interface Fa0/24
[...]


If your setup is a single VLAN setup you should have
> very little problems setting it up.
> 
> 
> 
> Good Luck, 
> Brandon
> 
> 
> 
> 
> 
> 
> 
> Fingerprint: 
> AB56 1637 13F5 9FF8 2F0B  7147 F20D 21CB 5728 FEAE 
> 
>   -----Original Message-----
>   From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Carlton
> L. Whitmore
>   Sent: Wednesday, July 14, 2004 4:31 PM
>   To: snort-users at lists.sourceforge.net
>   Subject: [Snort-users] Pass data thru Cisco Switch?
> 
> 
>   I want to setup Snort inside my network, but I know if I do my
> Cisco Catalyst 2900 switches won't pass the data I need. How do I
> configure the Cisco switches to pass the data thru to the IDS system?
>   thanks,
>   Carlton.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
> 
> iQA/AwUBQPbyPfINIctXKP6uEQIR4ACdHx8nkSbpSzDAVrbIfeOtHZEiyw8AnR7B
> ENkQkGCqGtCTsL9VOOC5XcA3
> =EGdD
> -----END PGP SIGNATURE-----





More information about the Snort-users mailing list