[Snort-users] flex response and cisco span ports

John Roberds roberdsj at ...4446...
Wed Jan 2 10:46:04 EST 2002


	The Cisco switches Steve mentions here are both IOS based 
switches that by default permit the type of rx/tx on the administrative
port by default.  My guess is that you may be using a CLI ("set") based 
switch like the 4K,5K,& 6K family.  I would try the additional parameters
inpkts enable on the span setup.  e.g.

6506(enable)# set span 4/40 4/41 both inpkts enable

This should do what you want for the single interface solution.  However, 
I like the two interface concept to facilitate an independent enterprise 
wide vlan to collect data.

Good luck,


Graeme Fowler wrote:
> tf wrote:
> > When snort has to respond [ie, send RST packets] I assume it
> > sends them out the interface it is listening on?
> > How does this work when monitoring a cisco switched network?
> > Once I make a port a monitor port, it is read-only and nothing
> > can be sent out on it, so what I've done in the past is put 2
> > interfaces on my snort sensors.  One is a listener, the other
> > is the "management" port that I ssh to, etc, etc.
> In my experience, this is wrong on both counts. I have successfully used
> real live machines (both by accident *and* by design; long story) with real
> live IP addresses plugged into a Cisco SPAN (port mirror, monitoring, call
> it what you will) port on Catalyst 2924XL and 3524/3548XL switches. It can
> make emergency oh-my-god-everything-broke situations a little more bearable
> if you can sniff *and* make external connections thru the same NIC,
> especially when you have a laptop with a single interface... and you need to
> just dig that MAC address out of that remote database which is not on your
> laptop!
> > So I guess my question is this.. Can I make the sensor send it's
> > flex-response packets out the 'mgmt' port instead?  Surely
> > there are other people with an environment like this [snort,
> > cisco catalyst switches, flex-response] .. What's everyone else
> > doing?
> As far as I'm aware, snort chucks its' flexresp packets out via *the default
> gateway* therefore it spits them out thru whatever interface your default
> route points at.
> YMMV obviously, but as far back as the initial implementations of flexresp
> snort didn't do anything too fancy, just generated the packets and dropped
> them on the IP stack for the kernel to handle as it pleased. I'm not too
> proud to stand corrected, mind you!
> Graeme
> --
> Graeme Fowler
> System Administrator
> Host Europe Group PLC
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list