RE: [Snort-users] Snort on Cisco 6509
This is a discussion on RE: [Snort-users] Snort on Cisco 6509 within the Snort forums, part of the System Security and Security Related category; The IP address is the same as what? No no ...you don't even need an IP address on the ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-31-2004
|
|||
|
|||
RE: [Snort-users] Snort on Cisco 6509
The IP address is the same as what? No no ...you don't
even need an IP address on the Snort promiscious adapter. You should have at least two adapters. One for management and one for sniffing. You can't monitor a Gigabit connection with a Mbit connection. Put the firewall on a Mbit connection. Cheese! Marc --__--__-- Message: 1 Date: Mon, 30 Aug 2004 14:28:36 -0400 From: Network Intern <nsintern@hamilton.edu> To: snort-users@lists.sourceforge.net Subject: [Snort-users] Snort on Cisco 6509 Hi Everyone, We have SNORT 2.0.2 running on Red Hat Linux release 9 (Shrike). We are monitoring the traffic that enters and exits our PIX firewall. Snort was up and running very well, until we had to make some network changes. Initially snort was connected to a Cisco 35xx series switch and was spanning (port monitoring) the interface connected to our firewall. Currently we have connected the firewall directly to a Giga bit interface on our core switch (Cisco 6509) and hence we had to shift the location of snort to be connected directly to a 100 Mbit connection on the 6509. Currenlty we have set spanning on the 6509's 100 Mbit connection, to which snort is connected to monitor the Giga bit connection that is connected to the firewall. However SNORT is not able to detect any alerts other than those to its own interface. So if we were to scan snort it would show up, but if we tried to scan the firewall it would not show up. The IP address of Snort is the same as the 100Mbit port on the 6509 is put on the Vlan that snort was configured. I noticed that the NIC was not in promiscuous mode so I set it to be in promiscuous mode. The output of the show span from the 6509 is ************************************************** ******************** CJ_6509> (enable) show span Destination : Port 3/8 Admin Source : Port 7/15 Oper Source : Port 7/15 Direction : transmit/receive Incoming Packets: enabled Learning : enabled Multicast : disabled Filter : - Status : active Total local span sessions: 1 *********************************************8 It would be of great help if you would kindly drop in some suggestions Thanks a lot Sherly Abraham nsintern@hamilton.edu Network Services Hamilton College __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
