Snort with cisco port mirrorring



  • Hi

    I have a question regarding how to set up snort with port mirrorring in a cisco switch.

    I have a cisco switch where the internet connection is connected to port 1 in vlan 123.  I would like to insert a pfsense with snort as an IDS to monitor this connection. For this i am going to do the following configuration in the cisco switch:

    #monitor session 1 source interface GigabitEthernet 0/1
    #monitor session 1 destination interface GigabitEthernet 0/48

    Then i plan to connect port 48 to one of the nics in the pfsense.

    But then what..? How do i configure the interface on the pfsense to inspect the traffic? Should i configure it with a vlan id of 123?



  • @miloman:

    But then what..? How do i configure the interface on the pfsense to inspect the traffic? Should i configure it with a vlan id of 123?

    take a look on this wikipedia doc:
    http://en.wikipedia.org/wiki/Port_mirroring
    .
    .
    .
    An example of a SPAN configuration on a Cisco 2950 Switch is below.

    Monitor session 1 destination interface fastethernet 0/4 encap ingress vlan 1
    Monitor session 1 source interface fastethernet 0/1 , 0/2 , 0/3
    

    The above example mirrors data from ports 0/1, 0/2 and 0/3 to the destination port 0/4 using vlan1 for vlan tagging.
    To show the status of a SPAN monitor session use the following command.

    show monitor session 1
    


  • Affirmative on the cisco stuff…

    But what about the PfSense part... Got any ideas on how to configure the interfaces?

    What i mean is... How do i get the PfSense to inspect the data when it's not actually being used for routing and such?



  • @miloman:

    What i mean is… How do i get the PfSense to inspect the data when it's not actually being used for routing and such?

    As you did port mirroring, pfsense will see this traffic.

    The encap ingress vlan 1 may means that all mirrored traffic will be mirrored on vlan1 of this port.

    Just enable snort on this interface and look for alerts.

    You can also configure pfsense to tag vlan id 123 and assign it to wan interface.



  • Do i need to set the interface type to something specific in pfsense? none/static/x ?

    If i were to set the interface type to "none", would snort then still be able to sniff the traffic?

    I'm guessing snort does some kind of tcpdump on the interface itself… That way it doesn't have to have an IP address set i'm guessing...?

    Thank you for your help so far. :)



  • Snort itself does not need ip on interface to sniff packages.

    The best way to do this is tag a lan interface and assign an ip so you can reach pfsense to see wan snort alerts.



  • my pfsense box has 2 nics. 1 nic dedicated to management… 1 nic connected to the mirrored port on the cisco switch.

    I figured that by doing it that way i wouldn't get any "pollution" from management traffic on the IDS interface.


Locked