Snort mailing list archives
RE: Configuring Cisco switches...
From: Bryan Childs <bryan.childs () mercator com>
Date: Fri, 21 Sep 2001 15:21:17 +0100
Ok - after talking to my net admin chappy - he has another question, and I quote : "it would be better to ask of the best way to set up an ethernet network to optimise your chances of capturing information whilst maintaining high performance switched networks" and he said to ignore any smart arses that suggested going back to using hubs :) Well ? Anyone got any good advice on this... On the face of it - turning on the port mirroring on the switch sounds like it will do the job - but will anything suffer noticeably after we've done it? (Apart from the snort box, we're expecting that!) Bry
-----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: 21 September 2001 15:15 To: Bryan Childs Cc: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Configuring Cisco switches... On Fri, 21 Sep 2001, Bryan Childs wrote:Hi everyone - this question has probably been done todeath, but my googlesearching for answers has amounted to nought - so I'm goingto have to askit again I'm afraid!It's Ok, we'll just give you lashes with a wet noodle. ;-)The network here in my building is of course suffering fromthe recent Nimdavirus/worm breakout, and we're trying to track infectedboxes with snort.The entire network here is running on switched ethernet,which is giving usa bit of a headache. Most of the switches are dumb 3Comsupplied ones, butwe've been sensible enough (we think) to plug out snort boxinto the Ciscoone which sits at the top of the network. The trouble is that we *still* don't seem to be able tomonitor attackswhich don't directly go for the snort box itself. The card is set up in promiscuous mode as it should be -but we think weneed to do something to the switch to make sure it sees ALLour internalnetwork traffic. Does anyone know what we might have missed? Or have anysuggestions at all? Yeppers... http://snort.sourcefire.com/docs/faq.html#1.8 Now, your Cisco _should_ be able to do that. If you don't know talk with your local netoworking geek. Bribe him with some wire ties or something...Cheers amigos......Oh, you're bringing the beer? Great! Bring some Shinerbock. :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
******** Mercator - find out more at http://www.mercator.com The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, you must not read, use or disseminate the information contained in the email. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Mercator Software Ltd. Email to and from Mercator may be monitored. ******** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Configuring Cisco switches... Bryan Childs (Sep 21)
- Re: Configuring Cisco switches... Erek Adams (Sep 21)
- Re: Configuring Cisco switches... Bob Staaf (Sep 21)
- Re: Configuring Cisco switches... George D. Nincehelser (Sep 21)
- <Possible follow-ups>
- RE: Configuring Cisco switches... Bryan Childs (Sep 21)
- RE: Configuring Cisco switches... Erek Adams (Sep 21)
- RE: Configuring Cisco switches... Erek Adams (Sep 21)
- Re: Configuring Cisco switches... Bob Staaf (Sep 21)
- RE: Configuring Cisco switches... Gadrow, Jim (Sep 21)
- RE: Configuring Cisco switches... Joshua Wright (Sep 21)
- RE: Configuring Cisco switches... Cessna, Michael (Sep 21)
- RE: Configuring Cisco switches... Mayers, Philip J (Sep 21)
- RE: Configuring Cisco switches... Bryan Childs (Sep 21)
- RE: Configuring Cisco switches... Bryan Childs (Sep 21)