Snort mailing list archives

Re: Configuring Cisco switches...

From: "George D. Nincehelser" <george () ccitriad net>
Date: Fri, 21 Sep 2001 10:36:21 -0500

Might a better tactic be to scan your internal networks periodically for infected or vulnerable machines and then fix
or patch them?

Looking for internal infected machines via snort may be too late, especially consideirng that I've seen several
recommendations that Nimda infected boxes be totally rebuilt :(

George
----- Original Message -----
From: Bryan Childs
To: 'snort-users () lists sourceforge net'
Sent: Friday, September 21, 2001 8:59 AM
Subject: [Snort-users] Configuring Cisco switches...

[Also posted to the Snort forums]

Hi everyone - this question has probably been done to death, but my google searching for answers has amounted to
nought - so I'm going to have to ask it again I'm afraid!

The network here in my building is of course suffering from the recent Nimda virus/worm breakout, and we're trying to
track infected boxes with snort.

The entire network here is running on switched ethernet, which is giving us a bit of a headache. Most of the switches
are dumb 3Com supplied ones, but we've been sensible enough (we think) to plug out snort box into the Cisco one which
sits at the top of the network.

The trouble is that we *still* don't seem to be able to monitor attacks which don't directly go for the snort box
itself.

The card is set up in promiscuous mode as it should be - but we think we need to do something to the switch to make
sure it sees ALL our internal network traffic.

Does anyone know what we might have missed? Or have any suggestions at all?

Cheers amigos......

Bryan

********

Mercator - find out more at http://www.mercator.com

The information in this email is confidential and is intended solely for the addressee(s). Access to this email by
anyone else is unauthorised. If you are not an intended recipient, you must not read, use or disseminate the
information contained in the email.
Any views expressed in this message are those of the individual sender, except where the sender specifically states
them to be the views of Mercator Software Ltd.
Email to and from Mercator may be monitored.

********

Current thread:

Configuring Cisco switches... Bryan Childs (Sep 21)
- Re: Configuring Cisco switches... Erek Adams (Sep 21)
- Re: Configuring Cisco switches... Bob Staaf (Sep 21)
- Re: Configuring Cisco switches... George D. Nincehelser (Sep 21)
- <Possible follow-ups>
- RE: Configuring Cisco switches... Bryan Childs (Sep 21)
  - RE: Configuring Cisco switches... Erek Adams (Sep 21)
  - RE: Configuring Cisco switches... Erek Adams (Sep 21)
  - Re: Configuring Cisco switches... Bob Staaf (Sep 21)
- RE: Configuring Cisco switches... Gadrow, Jim (Sep 21)
- RE: Configuring Cisco switches... Joshua Wright (Sep 21)
- RE: Configuring Cisco switches... Cessna, Michael (Sep 21)
- RE: Configuring Cisco switches... Mayers, Philip J (Sep 21)
- RE: Configuring Cisco switches... Bryan Childs (Sep 21)
- RE: Configuring Cisco switches... Bryan Childs (Sep 21)