IDS mailing list archives
Re: about mirroring port
From: Karel Chwistek <karel.chwistek () i cz>
Date: Thu, 20 Mar 2003 09:28:25 +0100
SB CH wrote:
hello, all. I would like to setup ids(like snort) at mirroring port in cisco catalyst switch. but all of the network traffic is over 100M, and my linux server which installs snort is not so good hardware. So I think that when I setup snort at mirroring port, all traffic should via linux server so the network speed would be slow
I don't mean so ... coz mirroring port is used just for traffic analysis ... so it should not slow down speed of your network ...
Question. 1. when I setup the mirroring port,all traffic(for example, port2 traffic) would transfer like this or just copy the traffic mirroring port too? (1) client --> mirroring port1 --> port 2 (2) client --> port 2 --> mirroring port (copy too)
it will just copy the traffic to mirroring port too
2. Is there any problem when I set snort at mirroring port if the traffic is so high(over 100~200M)?
it is depending on speed of you machine where you have installed snort
3. do you know any commands to setup mirroring port at catalyst 400x(catos based) switch?
Switch(config)# monitor session 1 source interface fa2/3 for monitoring full traffic from/to fasteethernet 2/3 or Switch(config)# monitor session 1 source interface fa2/3 rx Switch(config)# monitor session 1 source interface fa2/2 tx for monitoring traffic comming from interface fa2/3 or outgoing by interface fa2/2 port where do you want to see this traffic is configured by command Switch(config)# monitor session 1 destination interface fastethernet 5/48 You must remember that the destignation port is then used only monitoring not for communication !! For more informations look at http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_13/config/span.pdf K.Ch. ----------------------------------------------------------- ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation. http://www.spidynamics.com/mktg/webappsecurity71
Current thread:
- about mirroring port SB CH (Mar 18)
- Re: about mirroring port nate (Mar 18)
- RE: about mirroring port Rob Shein (Mar 18)
- Re: about mirroring port Karel Chwistek (Mar 23)
- <Possible follow-ups>
- Re: about mirroring port Joe Magee (Mar 23)
- Re: about mirroring port Dejan Markovic (Mar 26)
- RE: about mirroring port David Vertie (Mar 23)