Hi All,

I have a below doubt on my setup. I am not sure whether setup i have built is as per IDS standards or not but SNORT IDS is not capturing traffic. I want to be sure from switch end i have mapped the needs of IDS. Below is the setup i have built.

Step1:

Built EIGRP between router & switch over checkpoint transparent firewall. Neighourship/Routes are received as expected.

Router4431---Gi0/0/1Routed Port(IP- 10.10.10.10/29)---------(L2 Bridge)Checkpoint(L2Bridge)---------Gig 0/0/1Routed Port(10.10.10.9/29)3850.

Step2:

Created Snort on VM Dell Server on Shared NIC(VSwitch Group2) with IP 10.10.5.19. NIC is connected to 3850 L2 port Gi0/0/2. This IP is reachable from network working as expected. Other VMs are also reachable under this Vswitch Group. Snort Service on VM is active & running.

Step3:

Need is to monitor the traffic on Inside interface on 3850switch ie Gi0/0/1 which is routed to capture traffic which is received & transfered over this inside port.

I have used a port on Dell Server on separate NIC which is placed under dedicated for Snort mirror port Vswitch Group3 connected to 3850 L2 port Gi0/0/3. IP not assigned to this port. Switch port configuration for mirroring is as below.

!

interface gi0/0/1---Connected to Dell Server Shared Vswitch NIC 2 for all VMS

no shut

no switchport

ip add 10.10.10.9 255.255.255.248

!

interface gi0/0/1---Connected to Dell Server Shared Vswitch NIC 2 for all VMS

no shut

switchport access vlan 2201--VLAN for VM Servers including SNORT

!

interface gi0/0/3---Connected to Dell Server dedicated Vswitch NIC 3 for Snort Mirroring

no shut

switchport mode access

!

monitor session 2 source interface Gi0/0/1 both

monitor session 2 destination interface Gi0/0/3.

!

Is above setup is correct? I am not getting logs in snort, i think i am missing something. Please highlight your thoughts on this, can we monitor routed port as a source & Mirror port on Snort side will work without IP?

Regards,

Vishal