[Snort-users] flex response and cisco span ports

tyler at ...4440... tyler at ...4440...
Wed Jan 2 10:31:04 EST 2002


What type of equipment do you do this on?  On a simple 3com switch, you can
make a port act like a hub, but cisco's spanning is entirely more complex.
You can choose to monitor multiple vlans on one port, therefore how would
the port know which vlan to put any sourcing traffic on?  

tf.

-----Original Message-----
From: Greg Robinson [mailto:greg at ...3899...]
Sent: Wednesday, January 02, 2002 1:25 PM
To: Graeme Fowler; tyler at ...4440...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] flex response and cisco span ports


This is not correct...I use port monitoring and port spanning on my switched
networks..and have no problem sending and recieving data on these ports.....
----- Original Message -----
From: "Graeme Fowler" <graeme.fowler at ...2189...>
To: <tyler at ...4440...>; <snort-users at lists.sourceforge.net>
Sent: Wednesday, January 02, 2002 12:05 PM
Subject: RE: [Snort-users] flex response and cisco span ports


> tf wrote:
>
> > When snort has to respond [ie, send RST packets] I assume it
> > sends them out the interface it is listening on?
> > How does this work when monitoring a cisco switched network?
> > Once I make a port a monitor port, it is read-only and nothing
> > can be sent out on it, so what I've done in the past is put 2
> > interfaces on my snort sensors.  One is a listener, the other
> > is the "management" port that I ssh to, etc, etc.
>
> In my experience, this is wrong on both counts. I have successfully used
> real live machines (both by accident *and* by design; long story) with
real
> live IP addresses plugged into a Cisco SPAN (port mirror, monitoring, call
> it what you will) port on Catalyst 2924XL and 3524/3548XL switches. It can
> make emergency oh-my-god-everything-broke situations a little more
bearable
> if you can sniff *and* make external connections thru the same NIC,
> especially when you have a laptop with a single interface... and you need
to
> just dig that MAC address out of that remote database which is not on your
> laptop!
>
> > So I guess my question is this.. Can I make the sensor send it's
> > flex-response packets out the 'mgmt' port instead?  Surely
> > there are other people with an environment like this [snort,
> > cisco catalyst switches, flex-response] .. What's everyone else
> > doing?
>
> As far as I'm aware, snort chucks its' flexresp packets out via *the
default
> gateway* therefore it spits them out thru whatever interface your default
> route points at.
>
> YMMV obviously, but as far back as the initial implementations of flexresp
> snort didn't do anything too fancy, just generated the packets and dropped
> them on the IP stack for the kernel to handle as it pleased. I'm not too
> proud to stand corrected, mind you!
>
> Graeme
> --
> Graeme Fowler
> System Administrator
> Host Europe Group PLC
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager at postmaster at ...4441...
**********************************************************************




More information about the Snort-users mailing list