[Snort-users] flex response and cisco span ports

Greg Robinson greg at ...3899...
Wed Jan 2 10:29:07 EST 2002

This is not correct...I use port monitoring and port spanning on my switched
networks..and have no problem sending and recieving data on these ports.....
----- Original Message -----
From: "Graeme Fowler" <graeme.fowler at ...2189...>
To: <tyler at ...4440...>; <snort-users at lists.sourceforge.net>
Sent: Wednesday, January 02, 2002 12:05 PM
Subject: RE: [Snort-users] flex response and cisco span ports

> tf wrote:
> > When snort has to respond [ie, send RST packets] I assume it
> > sends them out the interface it is listening on?
> > How does this work when monitoring a cisco switched network?
> > Once I make a port a monitor port, it is read-only and nothing
> > can be sent out on it, so what I've done in the past is put 2
> > interfaces on my snort sensors.  One is a listener, the other
> > is the "management" port that I ssh to, etc, etc.
> In my experience, this is wrong on both counts. I have successfully used
> real live machines (both by accident *and* by design; long story) with
> live IP addresses plugged into a Cisco SPAN (port mirror, monitoring, call
> it what you will) port on Catalyst 2924XL and 3524/3548XL switches. It can
> make emergency oh-my-god-everything-broke situations a little more
> if you can sniff *and* make external connections thru the same NIC,
> especially when you have a laptop with a single interface... and you need
> just dig that MAC address out of that remote database which is not on your
> laptop!
> > So I guess my question is this.. Can I make the sensor send it's
> > flex-response packets out the 'mgmt' port instead?  Surely
> > there are other people with an environment like this [snort,
> > cisco catalyst switches, flex-response] .. What's everyone else
> > doing?
> As far as I'm aware, snort chucks its' flexresp packets out via *the
> gateway* therefore it spits them out thru whatever interface your default
> route points at.
> YMMV obviously, but as far back as the initial implementations of flexresp
> snort didn't do anything too fancy, just generated the packets and dropped
> them on the IP stack for the kernel to handle as it pleased. I'm not too
> proud to stand corrected, mind you!
> Graeme
> --
> Graeme Fowler
> System Administrator
> Host Europe Group PLC
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list