TOTAL
Since dec 2006
1'942'871 Visitors
4'218'042 Pages

Nov 2010 Stats
82'909 Visitors
146'476 Pages
196 countries
Full statistics



Help us translate
our tutorials!

JOIN the
OpenManiak Team.
OM TEAM
Director:
Blaise Carrera
Tutorials creation:
Blaise Carrera
Translaters:
Giovanni Fredducci
Angel Chraniotis
Moham. H. Karvan
Alexandro Silva
Blaise Carrera
Andrei Chertolyas
Sergiy Uvarov
Nickola Kolev
Łukasz Nowatkowski
Ivo Raisr
Catalin Bivolaru
Bogdan A. Costea
Kirill Simonov
Oliver Mucafir
JaeYoung Jeon
Seungyoon Lee
Jie Yu & Si Cheng
Tao Wei
YukiAlex
Fumihito Yoshida
Muhammad Takdir
Çağdaş Tülek
Auditors
Leslie Luthi
Joe Anderson
Jennifer Ockwell
Nigel Titley
Alison Rees
Webmaster:
Blaise Carrera
SNORT - The Easy Tutorial - Port Mirroring

Snort Port Mirroring
Last Change : Dec 07 2007 french flagenglish flag


Tool
Install
Ergonomy
Forum



Details What is Snort ?
Screenshots
Prerequisites
Snort
BASE
Update Snort
Bleedingsnort Rules
Port Mirroring



⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!


CONFIGURE YOUR SWITCH

To be sure your IDS analyzes the data you want, you must mirror the traffic of a switch port or VLAN. For this, we will use the "port mirroring" mechanism which means the switch duplicates the traffic on your chosen interface or VLAN and send it to Snort.

Of course, on your IDS system, you need at least one network interface to listen to the traffic, but if you can have two network ports, this will be much more better because you will able to dedicate one of both for the IDS management and the other one will be configured without IP address just to receive the mirrored (or spanned) traffic. In this case, the IDS management data will not "pollute" the mirrored traffic.

port mirroring snort IDS

Here are three "port mirroring" examples with Cisco and Juniper/Netscreen switches:

Cisco Catalyst 6509 or 3750:

Cisco_device#configure terminal
Cisco_device(config)#monitor session 1 source interface GigabitEthernet x/x
Cisco_device(config)#monitor session 1 destination interface GigabitEthernet x/x
Cisco Catalyst 3500XL:

Cisco_device#configure terminal
Cisco_device(config)#interface FastEthernet x/x
Cisco_device(config-if)#port monitor FastEthernet x/x
Juniper/Netscreen FireWall 25

set mirror port source interface1 destination interface2