[Snort-users] Using Snort on a Switch via span problem

SN ORT snort_on_acid at ...131...
Thu Jul 22 06:40:03 EDT 2004


Then you are not seeing the traffic going to those
server(s). You either have the wrong interface
specified in the snort startup command or you are not
soanning properly. DO a dump on the line to be sure
you're even seeing that traffic and check your
cmd-line...

Cheese!

Marc




--__--__--

Message: 2
Date: Thu, 22 Jul 2004 08:34:20 +0800
From: Eric Noel <ericnoel at ...12153...>
To:  snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Using Snort on a Switch via
span problem

On 7/20/2004 12:56 PM, Eric Noel wrote:
> i have a problem with my snort, ive configured the
cisco switch for
> span/port forwarding but my problem is that snort is
working only if the
> attack is to itself. so if i tried attacking the web
server, it doesnt
> log in the snort. Can anyone assist me by giving
pointers, reference
> materials or even directly help me?? Thanks guys.
>
> I have the ff snort/acid setup for reference:
>
> NET LAYOUT:
> cisco 2900xl (172.30.16.0 LAN)
> +-------+-------+-------+
> | fa0/1 | fa0/2 | fa0/3 |
> +-------+-------+-------+
>
> fa0/2 = snort (172.30.19.49/255.255.240.0)
> fa0/3 = web server (172.30.19.101/255.255.240.0)
>
> CISCO CONFIG:
> interface FastEthernet0/1
>  switchport mode multi
> interface FastEthernet0/2
>  port monitor FastEthernet0/3
>
> CISCO SHOW PORT MONITOR:
> Monitor Port           Port Being Monitored
> ---------------------  ---------------------
> FastEthernet0/2        FastEthernet0/3
>
> SNORT CONF:
> var HOME_NET [172.30.16.0/20]
> var EXTERNAL_NET any
> var HTTP_SERVERS [172.30.19.101/20,172.30.19.102/20]
> var RULE_PATH /etc/snort/rules
>
>
>
-------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic
Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1
today.
>
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

>I tried Matt's revision to my snort's conf but it
>still just logs only
>intrusion directed to the snort server and not to
>others servers (e.g.
>webserver). Anyway, I just installed a sensor on the
>firewall portion
>>and log to the snort server just to make ends meet
:>>(. I hope somebody
>have a clue on why i still cant detect any intrusion
>other than my snort
>server.


		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail




More information about the Snort-users mailing list