[Snort-users] flex response and cisco span ports

tyler at ...4440... tyler at ...4440...
Wed Jan 2 08:43:11 EST 2002


I'm going to be implementing a distributed snort configuration soon and I
have a question regarding flex-response as that's something I'd like to use.

When snort has to respond [ie, send RST packets] I assume it sends them out
the interface it is listening on?  How does this work when monitoring a
cisco switched network?  Once I make a port a monitor port, it is read-only
and nothing can be sent out on it, so what I've done in the past is put 2
interfaces on my snort sensors.  One is a listener, the other is the
"management" port that I ssh to, etc, etc.

So I guess my question is this.. Can I make the sensor send it's
flex-response packets out the 'mgmt' port instead?  Surely there are other
people with an environment like this [snort, cisco catalyst switches,
flex-response] .. What's everyone else doing?



This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager at postmaster at ...4441...

More information about the Snort-users mailing list