Re: Snort on Cisco 6509

[Rich Adamson <radamson () routers com>]

> However SNORT is not able to detect any alerts other than those to its own interface. So 
if we were to scan snort it would show up, but if we tried to scan the firewall it would 
not show up. The IP address of Snort is the same as the 100Mbit port on the 6509 is put on 
the Vlan that snort was configured. I noticed that the NIC was not in promiscuous mode so I 
set it to be in promiscuous mode. 
> The output of the show span from the 6509 is
> **********************************************************************
> CJ_6509> (enable) show span
>
> Destination     : Port 3/8
> Admin Source    : Port 7/15
> Oper Source     : Port 7/15
> Direction       : transmit/receive
> Incoming Packets: enabled
> Learning        : enabled
> Multicast       : disabled
> Filter          : -
> Status          : active
>
>
> Total local span sessions:  1  
> *********************************************8

Not sure what the problem might be other then we've used port mirroring
on other 6509's without a problem.

Might check to make sure snort is actually plugged into 3/8 and the
firewall in 7/15. I believe you can also port mirror the entire vlan
if you'd like to try that.

Rich




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users