Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-users] Snort on Cisco 6509

from [SN ORT] Network Security [Permanent Link]
Subject: RE: [Snort-users] Snort on Cisco 6509
Date: Tue, 31 Aug 2004 04:52:46 -0700 (PDT) 
The IP address is the same as what? No no ...you don't
even need an IP address on the Snort promiscious
adapter. You should have at least two adapters. One
for management and one for sniffing.

You can't monitor a Gigabit connection with a Mbit
connection. Put the firewall on a Mbit connection.

Cheese!

Marc


--__--__--

Message: 1
Date: Mon, 30 Aug 2004 14:28:36 -0400
From: Network Intern <nsintern@hamilton.edu>
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] Snort on Cisco 6509

Hi Everyone,

We have SNORT 2.0.2 running on Red Hat Linux release 9
(Shrike). We are monitoring the traffic that enters
and exits our PIX firewall. Snort was up and running
very well, until we had to make some network changes.
Initially snort was connected to a Cisco 35xx series
switch and was spanning (port monitoring) the
interface connected to our firewall.

Currently we have connected the firewall directly to a
Giga bit interface on our core switch (Cisco 6509) and
hence we had to shift the location of snort to be
connected directly to a 100 Mbit connection on the
6509. Currenlty we have set spanning on the 6509's 100
Mbit connection, to which snort is connected to
monitor the Giga bit connection that is connected to
the firewall.

However SNORT is not able to detect any alerts other
than those to its own interface. So if we were to scan
snort it would show up, but if we tried to scan the
firewall it would not show up. The IP address of Snort
is the same as the 100Mbit port on the 6509 is put on
the Vlan that snort was configured. I noticed that the
NIC was not in promiscuous mode so I set it to be in
promiscuous mode.

The output of the show span from the 6509 is
**********************************************************************
CJ_6509> (enable) show span

Destination     : Port 3/8
Admin Source    : Port 7/15
Oper Source     : Port 7/15
Direction       : transmit/receive
Incoming Packets: enabled
Learning        : enabled
Multicast       : disabled
Filter          : -
Status          : active


Total local span sessions:  1
*********************************************8

It would be of great help if you would kindly drop in
some suggestions
Thanks a lot
Sherly Abraham
nsintern@hamilton.edu
Network Services
Hamilton College


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Snort, Swatch, and perl modules, stephane nasdrovisky
Next by Date:  [Snort-users] Database ERROR:Got error 124 from table handler, Jeff Heckart
Previous by Thread:  Re: [Snort-users] Snort on Cisco 6509, Rich Adamson
Next by Thread:  [Snort-users] data structure for snort rules, snort user
Indexes:  [Date] [Thread] [Top] [All Lists]