[Snort-users] Using Snort on a Switch via span problem

Eric Noel ericnoel at ...12153...
Mon Jul 19 21:57:04 EDT 2004


i have a problem with my snort, ive configured the cisco switch for 
span/port forwarding but my problem is that snort is working only if the 
attack is to itself. so if i tried attacking the web server, it doesnt 
log in the snort. Can anyone assist me by giving pointers, reference 
materials or even directly help me?? Thanks guys.

I have the ff snort/acid setup for reference:

NET LAYOUT:
cisco 2900xl (172.30.16.0 LAN)
+-------+-------+-------+
| fa0/1 | fa0/2 | fa0/3 |
+-------+-------+-------+

fa0/2 = snort (172.30.19.49/255.255.240.0)
fa0/3 = web server (172.30.19.101/255.255.240.0)

CISCO CONFIG:
interface FastEthernet0/1
  switchport mode multi
interface FastEthernet0/2
  port monitor FastEthernet0/3

CISCO SHOW PORT MONITOR:
Monitor Port           Port Being Monitored
---------------------  ---------------------
FastEthernet0/2        FastEthernet0/3

SNORT CONF:
var HOME_NET [172.30.16.0/20]
var EXTERNAL_NET any
var HTTP_SERVERS [172.30.19.101/20,172.30.19.102/20]
var RULE_PATH /etc/snort/rules




More information about the Snort-users mailing list