Snort mailing list archives

Re: how to use snort in a switched environment

From: "Carlos Felix" <snort () xiata com>
Date: Wed, 14 May 2003 09:15:12 -0500 (EST)

Jeremy,

you have an excellent switch for monitoring your network with snort (its
the same one I use in several sites). All you have to do is connect a
system to the console of your switch and configure the port that the Snort
system is connected into to SPAN what ever ports you are wanting to
monitor. Example lets say that your snort system is connected to port 24
and you want to monitor ports 1, 2, 3 and 5.
Go to an enable prompt, then enter the configuration mode, then issue the
following commands:

Interface f24
Port monitor f1-3 , f5
Exit
Exit


That is it. All the traffic from those ports will be replicated to port
24. You can monitor as many/few ports as you like.

Carlos


Jeremy Rodriguez said:

From snort DOCS:
Q: I'm on a switched network, can I still use Snort?

A: Being able to sniff on a switched network depends on what type of
   switch is being used.  If the switch can mirror traffic, then set
   the switch to mirror all traffic to the snort machine's port.

My question is that I have a Cisco WS-C2924-XL and I was wondering if
anyone
has used snort and these switches successfully.


The only other way I have found is:

INET
     |
ROUTER
     |
 HUB --------- SNORT
     |
SWITCH
     |
COMPANY




-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

how to use snort in a switched environment Jeremy Rodriguez (May 14)
- Re: how to use snort in a switched environment Erek Adams (May 14)
- Re: how to use snort in a switched environment Carlos Felix (May 14)
  - Message not available
    - RE: how to use snort in a switched environment Carlos Felix (May 14)
  - Re: how to use snort in a switched environment Carlos Felix (May 14)
- <Possible follow-ups>
- Re: how to use snort in a switched environment Les Addison (May 14)
  - Re: how to use snort in a switched environment Matt Schillinger (May 14)