Snort mailing list archives

RE: Configuring Cisco switches...

From: Joshua Wright <Joshua.Wright () jwu edu>
Date: Fri, 21 Sep 2001 11:00:16 -0400

As Chubbs Peterson said in Happy Gilmore:

"Just tap it in Happy.  Just tap it in.  Just tap it in.  Tap it in."

http://www.finisar-systems.com/

-Joshua Wright
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright () jwu edu

pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
fingerprint: FD A5 12 FC F3 91 37 40 E0 AE BD B6 8F E2 FC 0A D4 4B 4A 73



-----Original Message-----
From: Bob Staaf [mailto:rstaaf () cfl rr com]
Sent: Friday, September 21, 2001 10:38 AM
To: Bryan Childs; 'Erek Adams'
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Configuring Cisco switches...


Bryan,

     If he is so set against hubs his only other choice is to set up the
network monitoring port using span on the switch.  I don't see any other way
to do it without putting snort on every box you want to monitor.

Bob

----- Original Message -----
From: "Bryan Childs" <bryan.childs () mercator com>
To: "'Erek Adams'" <erek () theadamsfamily net>
Cc: <snort-users () lists sourceforge net>
Sent: Friday, September 21, 2001 10:21 AM
Subject: RE: [Snort-users] Configuring Cisco switches...

Ok - after talking to my net admin chappy - he has another question, and I
quote :

"it would be better to ask of the best way to set up an ethernet network

to

optimise your chances of capturing information whilst maintaining high
performance switched networks"

and he said to ignore any smart arses that suggested going back to using
hubs :)

Well ?

Anyone got any good advice on this...

On the face of it - turning on the port mirroring on the switch sounds

like

it will do the job - but will anything suffer noticeably after we've done
it? (Apart from the snort box, we're expecting that!)

Bry

-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net]
Sent: 21 September 2001 15:15
To: Bryan Childs
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] Configuring Cisco switches...


On Fri, 21 Sep 2001, Bryan Childs wrote:

Hi everyone - this question has probably been done to

death, but my google

searching for answers has amounted to nought - so I'm going

to have to ask

it again I'm afraid!


It's Ok, we'll just give you lashes with a wet noodle.  ;-)

The network here in my building is of course suffering from

the recent Nimda

virus/worm breakout, and we're trying to track infected

boxes with snort.


The entire network here is running on switched ethernet,

which is giving us

a bit of a headache. Most of the switches are dumb 3Com

supplied ones, but

we've been sensible enough (we think) to plug out snort box

into the Cisco

one which sits at the top of the network.

The trouble is that we *still* don't seem to be able to

monitor attacks

which don't directly go for the snort box itself.

The card is set up in promiscuous mode as it should be -

but we think we

need to do something to the switch to make sure it sees ALL

our internal

network traffic.

Does anyone know what we might have missed? Or have any

suggestions at all?

Yeppers...

http://snort.sourcefire.com/docs/faq.html#1.8

Now, your Cisco _should_ be able to do that.  If you don't
know talk with your
local netoworking geek.  Bribe him with some wire ties or something...

Cheers amigos......


Oh, you're bringing the beer?  Great!  Bring some Shinerbock.  :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



********

Mercator - find out more at http://www.mercator.com

The information in this email is confidential and is intended solely for

the addressee(s). Access to this email by anyone else is unauthorised.  If
you are not an intended recipient, you must not read, use or disseminate the
information contained in the email.

Any views expressed in this message are those of the individual sender,

except where the sender specifically states them to be the views of Mercator
Software Ltd.

Email to and from Mercator may be monitored.

********



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Configuring Cisco switches... Bryan Childs (Sep 21)
- Re: Configuring Cisco switches... Erek Adams (Sep 21)
- Re: Configuring Cisco switches... Bob Staaf (Sep 21)
- Re: Configuring Cisco switches... George D. Nincehelser (Sep 21)
- <Possible follow-ups>
- RE: Configuring Cisco switches... Bryan Childs (Sep 21)
  - RE: Configuring Cisco switches... Erek Adams (Sep 21)
  - RE: Configuring Cisco switches... Erek Adams (Sep 21)
  - Re: Configuring Cisco switches... Bob Staaf (Sep 21)
- RE: Configuring Cisco switches... Gadrow, Jim (Sep 21)
- RE: Configuring Cisco switches... Joshua Wright (Sep 21)
- RE: Configuring Cisco switches... Cessna, Michael (Sep 21)
- RE: Configuring Cisco switches... Mayers, Philip J (Sep 21)
- RE: Configuring Cisco switches... Bryan Childs (Sep 21)
- RE: Configuring Cisco switches... Bryan Childs (Sep 21)