RE: dual nic, was: flex response and cisco span por ts

["Burleson, Lee (IA)" <Lee.Burleson () ia ngb army mil>]

Byron -

Try unbinding TCP/IP from the non-admin interface(s).  You will need the
latest version of WinPCap to do this.  I have this running successfully in
my environment on several sensors now.

Big smiles to those guys in Italy for that improvement.

HTH.

- Lee

> -----Original Message-----
> From: Byron [mailto:snail945 () yahoo com]
> Sent: Wednesday, January 02, 2002 14:13
> To: John Roberds
> Cc: snort-users () lists sourceforge net; tyler () ibill com
> Subject: Re: [Snort-users] dual nic, was: flex response and cisco span
> ports
>
>
> all-
>
> I'm using a dial nic setup as mentioned a few times in this 
> thread.  I also
> have had issues where packets tried to leave off of the snort 
> interface when
> i only want them to be routed out the administrative nic on a 
> separate vlan
> as defined by the cisco 6509.  Usually this only happened if the admin
> interfaces went down for some reason.
>
> On windows 2000, how can i allow snort to listen on one nic 
> and not have an
> ip assigned to this nic?  I'd like to avoid having a second 
> default gateway
> in the local routing table.  I only want a default gateway 
> route for the
> administrative LAN.
>
> thx!
> ----- Original Message -----
> From: "John Roberds" <roberdsj () wishard edu>
> Cc: <snort-users () lists sourceforge net>; <tyler () ibill com>
> Sent: Wednesday, January 02, 2002 10:42 AM
> Subject: Re: [Snort-users] flex response and cisco span ports
>
>
> > tf,
> >
> > The Cisco switches Steve mentions here are both IOS based
> > switches that by default permit the type of rx/tx on the 
> administrative
> > port by default.  My guess is that you may be using a CLI 
> ("set") based
> > switch like the 4K,5K,& 6K family.  I would try the 
> additional parameters
> > inpkts enable on the span setup.  e.g.
> >
> > 6506(enable)# set span 4/40 4/41 both inpkts enable
> >
> > This should do what you want for the single interface 
> solution.  However,
> > I like the two interface concept to facilitate an 
> independent enterprise
> > wide vlan to collect data.
> >
> > Good luck,
> >
> > JR
> >
> > Graeme Fowler wrote:
> > > tf wrote:
> > >
> > > > When snort has to respond [ie, send RST packets] I assume it
> > > > sends them out the interface it is listening on?
> > > > How does this work when monitoring a cisco switched network?
> > > > Once I make a port a monitor port, it is read-only and nothing
> > > > can be sent out on it, so what I've done in the past is put 2
> > > > interfaces on my snort sensors.  One is a listener, the other
> > > > is the "management" port that I ssh to, etc, etc.
> > >
> > > In my experience, this is wrong on both counts. I have 
> successfully used
> > > real live machines (both by accident *and* by design; 
> long story) with
> real
> > > live IP addresses plugged into a Cisco SPAN (port mirror, 
> monitoring,
> call
> > > it what you will) port on Catalyst 2924XL and 3524/3548XL 
> switches. It
> can
> > > make emergency oh-my-god-everything-broke situations a little more
> bearable
> > > if you can sniff *and* make external connections thru the 
> same NIC,
> > > especially when you have a laptop with a single 
> interface... and you
> need to
> > > just dig that MAC address out of that remote database 
> which is not on
> your
> > > laptop!
> > >
> > > > So I guess my question is this.. Can I make the sensor send it's
> > > > flex-response packets out the 'mgmt' port instead?  Surely
> > > > there are other people with an environment like this [snort,
> > > > cisco catalyst switches, flex-response] .. What's everyone else
> > > > doing?
> > >
> > > As far as I'm aware, snort chucks its' flexresp packets 
> out via *the
> default
> > > gateway* therefore it spits them out thru whatever interface your
> default
> > > route points at.
> > >
> > > YMMV obviously, but as far back as the initial implementations of
> flexresp
> > > snort didn't do anything too fancy, just generated the packets and
> dropped
> > > them on the IP stack for the kernel to handle as it 
> pleased. I'm not too
> > > proud to stand corrected, mind you!
> > >
> > > Graeme
> > > --
> > > Graeme Fowler
> > > System Administrator
> > > Host Europe Group PLC
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users