[Snort-users] flex response and cisco span ports

tyler at ...4440... tyler at ...4440...
Wed Jan 2 10:25:03 EST 2002

That's my thinking.  If the interface doing the 'snorting' does not have an
IP on it, packets should go out eth1 [or the 'mgmt' interface that has an
IP], correct?


-----Original Message-----
From: Greg Herlein [mailto:gherlein at ...3379...]
Sent: Wednesday, January 02, 2002 1:19 PM
To: tyler at ...4440...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] flex response and cisco span ports

> So I guess my question is this.. Can I make the sensor send it's
> flex-response packets out the 'mgmt' port instead?  Surely there are other
> people with an environment like this [snort, cisco catalyst switches,
> flex-response] .. What's everyone else doing?

I suspect that you can fix this by making sure that your routing
configuration is set so that packets are routed out the
"management" interface.  I'd configure that eth to be the default
anyway, and have the second interface (eth1 or whatever) be the
snort port.  Then the response packets ought to go out as

I think.  YRMV.


This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager at postmaster at ...4441...

More information about the Snort-users mailing list