GreenLake Administration
- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Using SNORT w/4108gl switches
Switches, Hubs, and Modems
1845849
Members
4510
Online
110250
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-07-2005 03:44 AM
07-07-2005 03:44 AM
We are wanting to set up a snort box (www.snort.org) to help track down an infected machine in our network. Snort, of course, requires that it be able to see all traffic on the network.
So how can I do that when I have 4108gl switches in my switch core? The 4108gl has a limitation w/regard to setting up a "monitor" port .. it can only do "ingress monitoring".
Is anyone successfully using snort in an environment with 4108gl switches?
So how can I do that when I have 4108gl switches in my switch core? The 4108gl has a limitation w/regard to setting up a "monitor" port .. it can only do "ingress monitoring".
Is anyone successfully using snort in an environment with 4108gl switches?
Solved! Go to Solution.
7 REPLIES 7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2005 02:37 AM
07-13-2005 02:37 AM
Re: Using SNORT w/4108gl switches
Mark,
not sure off the top. i would think that the snort forums would be better equipted to answer this question. have you tried there?
-Jeff
not sure off the top. i would think that the snort forums would be better equipted to answer this question. have you tried there?
-Jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2005 03:57 AM
07-13-2005 03:57 AM
Re: Using SNORT w/4108gl switches
Hi Mark -
If you can monitor all of the traffic entering the 4108gl, that should be sufficient, shouldn't it?
Ralph
If you can monitor all of the traffic entering the 4108gl, that should be sufficient, shouldn't it?
Ralph
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-28-2005 08:23 PM
07-28-2005 08:23 PM
Re: Using SNORT w/4108gl switches
Hello Mark,
know exactly what you are talking about. ProCurve Switches could do the egress port monitoring only for a long time. lately ingress port monitoring shows up in the current irmware versions for some series.
I tried to give it a quick shot on the website but you really need to figure out the release notes of the current firmware. this feature change is pushed out consequently.
on the other hand we have only one monitor port were the traffic is aggregated. so what you might do is configure more than one ports to monitor and then aggregate that on the monitor port and get therefore more knowledge of the questionable device.
if you like to squeze in the questionable box you need the uplinks to be configured, which leave the 4100. than you have a chance to gather ip and mac information you can look up in th switches address caches and there find the referring ports.
for dedicated hints I need some more knowledge about your network configuration. e.g. address spaces and routing.
know exactly what you are talking about. ProCurve Switches could do the egress port monitoring only for a long time. lately ingress port monitoring shows up in the current irmware versions for some series.
I tried to give it a quick shot on the website but you really need to figure out the release notes of the current firmware. this feature change is pushed out consequently.
on the other hand we have only one monitor port were the traffic is aggregated. so what you might do is configure more than one ports to monitor and then aggregate that on the monitor port and get therefore more knowledge of the questionable device.
if you like to squeze in the questionable box you need the uplinks to be configured, which leave the 4100. than you have a chance to gather ip and mac information you can look up in th switches address caches and there find the referring ports.
for dedicated hints I need some more knowledge about your network configuration. e.g. address spaces and routing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2005 05:04 AM
08-01-2005 05:04 AM
Re: Using SNORT w/4108gl switches
As a previous post specified, there were a handful of ProCurve switches which were initially only capable of monitoring ingress traffic. The ability to monitor bi-directional traffic (both ingress and egress) has been added to most of our switches in recent firmware revisions.
The 4100 series remains an exception. The ProCurve 4100 series switches are only capable of monitoring ingress only traffic and it will remain this way.
If bi-directional monitoring is the key to getting your SNORT capture to succeed in tracking down an infected machine, there is a workaround which may meet your needs. The details of the workaround have been previously posted to the ITRC at http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=317326 titled "HP Procurve 2650 - mirroring - does it work?" One of the postings by Ardon (Dec 20, 2003 10:35:43 GMT) contains an attachment. The details for setting up the workaround are in that attachment.
This is quite admittedly a rather inelegant workaround. However, it is quite effective. I would never recommend this configuration for long term bi-directional monitoring. But for a quick method to capture data and isolate your infected client, this should do the trick nicely.
The 4100 series remains an exception. The ProCurve 4100 series switches are only capable of monitoring ingress only traffic and it will remain this way.
If bi-directional monitoring is the key to getting your SNORT capture to succeed in tracking down an infected machine, there is a workaround which may meet your needs. The details of the workaround have been previously posted to the ITRC at http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=317326 titled "HP Procurve 2650 - mirroring - does it work?" One of the postings by Ardon (Dec 20, 2003 10:35:43 GMT) contains an attachment. The details for setting up the workaround are in that attachment.
This is quite admittedly a rather inelegant workaround. However, it is quite effective. I would never recommend this configuration for long term bi-directional monitoring. But for a quick method to capture data and isolate your infected client, this should do the trick nicely.
Check the cabling. Next, check the cabling again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2005 05:32 AM
08-01-2005 05:32 AM
Re: Using SNORT w/4108gl switches
We are also considering the 5300xl. If we have an environment with a 5300 and a 4108, can I plug a SNORT listener into the 5300 and see all the traffic traversing the 5300 *and* the 4100 successfully?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2005 06:47 AM
08-01-2005 06:47 AM
Re: Using SNORT w/4108gl switches
The ProCurve 5300 series switches support bi-directional port montoring (both ingress and egress traffic.) It would be a good example of a better or "more elegant" long term solution.
Check the cabling. Next, check the cabling again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2005 06:56 AM
08-01-2005 06:56 AM
Solution
I missed the second part of your question in my previous reply. The 5300 would be able to monitor all traffic (bi-directional) on the link to-from the 4100. It cannot directly monitor ports on a different switch (eg. the 4100). With switches, you configure monitoring to copy traffic to-from ports on that switch to a designated port where the monitor or capture device (SNORT) is connected. The 5300 would be able to monitor any or all ports in the 5300 (including the link to-from the 4100) but cannot monitor the 4100's ports directly.
Check the cabling. Next, check the cabling again.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2026 Hewlett Packard Enterprise Development LP