[Snort-users] dual nic, was: flex response and cisco span ports

Byron snail945 at ...131...
Wed Jan 2 12:17:31 EST 2002


all-

I'm using a dial nic setup as mentioned a few times in this thread.  I also
have had issues where packets tried to leave off of the snort interface when
i only want them to be routed out the administrative nic on a separate vlan
as defined by the cisco 6509.  Usually this only happened if the admin
interfaces went down for some reason.

On windows 2000, how can i allow snort to listen on one nic and not have an
ip assigned to this nic?  I'd like to avoid having a second default gateway
in the local routing table.  I only want a default gateway route for the
administrative LAN.

thx!
----- Original Message -----
From: "John Roberds" <roberdsj at ...4446...>
Cc: <snort-users at lists.sourceforge.net>; <tyler at ...4440...>
Sent: Wednesday, January 02, 2002 10:42 AM
Subject: Re: [Snort-users] flex response and cisco span ports


>
> tf,
>
> The Cisco switches Steve mentions here are both IOS based
> switches that by default permit the type of rx/tx on the administrative
> port by default.  My guess is that you may be using a CLI ("set") based
> switch like the 4K,5K,& 6K family.  I would try the additional parameters
> inpkts enable on the span setup.  e.g.
>
> 6506(enable)# set span 4/40 4/41 both inpkts enable
>
> This should do what you want for the single interface solution.  However,
> I like the two interface concept to facilitate an independent enterprise
> wide vlan to collect data.
>
> Good luck,
>
> JR
>
> Graeme Fowler wrote:
> >
> > tf wrote:
> >
> > > When snort has to respond [ie, send RST packets] I assume it
> > > sends them out the interface it is listening on?
> > > How does this work when monitoring a cisco switched network?
> > > Once I make a port a monitor port, it is read-only and nothing
> > > can be sent out on it, so what I've done in the past is put 2
> > > interfaces on my snort sensors.  One is a listener, the other
> > > is the "management" port that I ssh to, etc, etc.
> >
> > In my experience, this is wrong on both counts. I have successfully used
> > real live machines (both by accident *and* by design; long story) with
real
> > live IP addresses plugged into a Cisco SPAN (port mirror, monitoring,
call
> > it what you will) port on Catalyst 2924XL and 3524/3548XL switches. It
can
> > make emergency oh-my-god-everything-broke situations a little more
bearable
> > if you can sniff *and* make external connections thru the same NIC,
> > especially when you have a laptop with a single interface... and you
need to
> > just dig that MAC address out of that remote database which is not on
your
> > laptop!
> >
> > > So I guess my question is this.. Can I make the sensor send it's
> > > flex-response packets out the 'mgmt' port instead?  Surely
> > > there are other people with an environment like this [snort,
> > > cisco catalyst switches, flex-response] .. What's everyone else
> > > doing?
> >
> > As far as I'm aware, snort chucks its' flexresp packets out via *the
default
> > gateway* therefore it spits them out thru whatever interface your
default
> > route points at.
> >
> > YMMV obviously, but as far back as the initial implementations of
flexresp
> > snort didn't do anything too fancy, just generated the packets and
dropped
> > them on the IP stack for the kernel to handle as it pleased. I'm not too
> > proud to stand corrected, mind you!
> >
> > Graeme
> > --
> > Graeme Fowler
> > System Administrator
> > Host Europe Group PLC
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list