[Snort-users] flex response and cisco span ports
roberdsj at ...4446...
Wed Jan 2 10:46:04 EST 2002
The Cisco switches Steve mentions here are both IOS based
switches that by default permit the type of rx/tx on the administrative
port by default. My guess is that you may be using a CLI ("set") based
switch like the 4K,5K,& 6K family. I would try the additional parameters
inpkts enable on the span setup. e.g.
6506(enable)# set span 4/40 4/41 both inpkts enable
This should do what you want for the single interface solution. However,
I like the two interface concept to facilitate an independent enterprise
wide vlan to collect data.
Graeme Fowler wrote:
> tf wrote:
> > When snort has to respond [ie, send RST packets] I assume it
> > sends them out the interface it is listening on?
> > How does this work when monitoring a cisco switched network?
> > Once I make a port a monitor port, it is read-only and nothing
> > can be sent out on it, so what I've done in the past is put 2
> > interfaces on my snort sensors. One is a listener, the other
> > is the "management" port that I ssh to, etc, etc.
> In my experience, this is wrong on both counts. I have successfully used
> real live machines (both by accident *and* by design; long story) with real
> live IP addresses plugged into a Cisco SPAN (port mirror, monitoring, call
> it what you will) port on Catalyst 2924XL and 3524/3548XL switches. It can
> make emergency oh-my-god-everything-broke situations a little more bearable
> if you can sniff *and* make external connections thru the same NIC,
> especially when you have a laptop with a single interface... and you need to
> just dig that MAC address out of that remote database which is not on your
> > So I guess my question is this.. Can I make the sensor send it's
> > flex-response packets out the 'mgmt' port instead? Surely
> > there are other people with an environment like this [snort,
> > cisco catalyst switches, flex-response] .. What's everyone else
> > doing?
> As far as I'm aware, snort chucks its' flexresp packets out via *the default
> gateway* therefore it spits them out thru whatever interface your default
> route points at.
> YMMV obviously, but as far back as the initial implementations of flexresp
> snort didn't do anything too fancy, just generated the packets and dropped
> them on the IP stack for the kernel to handle as it pleased. I'm not too
> proud to stand corrected, mind you!
> Graeme Fowler
> System Administrator
> Host Europe Group PLC
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users