Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » SNORT Running On Cisco IDSM-1

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

SNORT Running On Cisco IDSM-1


Posted by PRYBAR on May 05, 2005 10:47:53

Here's a little bit of an interesting question to all of you.

Cisco has two different hardware revisions of their blade style IDS for the Cisco 6500 switch, version 1 and 2. Version 1's are pretty much worthless now since there is no further support for them, and the entire software architecture of their IDS offer has since change. However, these boxes were basically a dual proc PC that slid into the switch and ran Solaris if I recall correctly. Just like the version 2 boxes, but slower. Oh, and version 2 runs RH BTW. =)

Any Linux ninjas out there think they could get these boxes to run SNORT? There is a way to gain root level access to the box, but I don't have the Linux skills to make this whole idea happen.

I think this would make a lot of people with stacks of these things collecting dust happy, by making them worth something once again. (me for one) The main attraction to this idea is that these little blade IDS's have direct access to the switching fabric, so they can see ANYTHING that traverses the switch backplane unlike an externally connected box.

Ideas? Comments?

Thanks

Posted by mks on May 06, 2005 10:57:04

"...these little blade IDS's have direct access to the switching fabric..."

what kind of interface is used to connect device to the switch? and how the port is visible to the OS? if snort can't read/write it, maybe it is possible to use inline mode(-j QUEUE)... in the worst case snort can be pached ;)

Posted by PRYBAR on May 17, 2005 11:04:01

This is what it looks like, I think it is probably proprietary. However, if you guys give me the appropriate *nix commands to run I can run them and post the output. I can even provide access to one on a test network, for someone who feels they’re skilled and up to the challenge. :)

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_data_sheet09186a00801e55dd.html

Posted by ajwood on May 26, 2005 07:46:42

I can't speak to those devices, but the IDS 4250 is also a linux based system
(RH7.2). I have a dev system that I compiled snort, dsniff and several
network apps, copied the compiled source to the IDS and it runs fine
(sometimes a symlink or 2 is needed). The root pwd is the same as the 'cisco'
user.

Posted by PRYBAR on January 17, 2006 10:43:55

Bump...
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.