Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


[Snort-users] Snort on Cisco 6509
.

  • To: [EMAIL PROTECTED]
  • Subject: [Snort-users] Snort on Cisco 6509
  • From: Network Intern <[EMAIL PROTECTED]>
  • Date: Mon, 30 Aug 2004 14:28:36 -0400
  • Sender: [EMAIL PROTECTED]
.
 
Hi Everyone,

We have SNORT 2.0.2 running on Red Hat Linux release 9 (Shrike). We are monitoring the traffic that enters and exits our PIX firewall. Snort was up and running very well, until we had to make some network changes. Initially snort was connected to a Cisco 35xx series switch and was spanning (port monitoring) the interface connected to our firewall.

Currently we have connected the firewall directly to a Giga bit interface on our core switch (Cisco 6509) and hence we had to shift the location of snort to be connected directly to a 100 Mbit connection on the 6509. Currenlty we have set spanning on the 6509's 100 Mbit connection, to which snort is connected to monitor the Giga bit connection that is connected to the firewall.

However SNORT is not able to detect any alerts other than those to its own interface. So if we were to scan snort it would show up, but if we tried to scan the firewall it would not show up. The IP address of Snort is the same as the 100Mbit port on the 6509 is put on the Vlan that snort was configured. I noticed that the NIC was not in promiscuous mode so I set it to be in promiscuous mode. 

The output of the show span from the 6509 is
**********************************************************************
CJ_6509> (enable) show span

Destination     : Port 3/8
Admin Source    : Port 7/15
Oper Source     : Port 7/15
Direction       : transmit/receive
Incoming Packets: enabled
Learning        : enabled
Multicast       : disabled
Filter          : -
Status          : active


Total local span sessions:  1  
*********************************************8

It would be of great help if you would kindly drop in some suggestions
Thanks a lot
Sherly Abraham
[EMAIL PROTECTED]
Network Services
Hamilton College




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
[EMAIL PROTECTED]
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.