Snort mailing list archives
RE: dual nic, was: flex response and cisco span por ts
From: "Burleson, Lee (IA)" <Lee.Burleson () ia ngb army mil>
Date: Wed, 2 Jan 2002 17:45:02 -0600
Byron - Try unbinding TCP/IP from the non-admin interface(s). You will need the latest version of WinPCap to do this. I have this running successfully in my environment on several sensors now. Big smiles to those guys in Italy for that improvement. HTH. - Lee
-----Original Message----- From: Byron [mailto:snail945 () yahoo com] Sent: Wednesday, January 02, 2002 14:13 To: John Roberds Cc: snort-users () lists sourceforge net; tyler () ibill com Subject: Re: [Snort-users] dual nic, was: flex response and cisco span ports all- I'm using a dial nic setup as mentioned a few times in this thread. I also have had issues where packets tried to leave off of the snort interface when i only want them to be routed out the administrative nic on a separate vlan as defined by the cisco 6509. Usually this only happened if the admin interfaces went down for some reason. On windows 2000, how can i allow snort to listen on one nic and not have an ip assigned to this nic? I'd like to avoid having a second default gateway in the local routing table. I only want a default gateway route for the administrative LAN. thx! ----- Original Message ----- From: "John Roberds" <roberdsj () wishard edu> Cc: <snort-users () lists sourceforge net>; <tyler () ibill com> Sent: Wednesday, January 02, 2002 10:42 AM Subject: Re: [Snort-users] flex response and cisco span portstf, The Cisco switches Steve mentions here are both IOS based switches that by default permit the type of rx/tx on theadministrativeport by default. My guess is that you may be using a CLI("set") basedswitch like the 4K,5K,& 6K family. I would try theadditional parametersinpkts enable on the span setup. e.g. 6506(enable)# set span 4/40 4/41 both inpkts enable This should do what you want for the single interfacesolution. However,I like the two interface concept to facilitate anindependent enterprisewide vlan to collect data. Good luck, JR Graeme Fowler wrote:tf wrote:When snort has to respond [ie, send RST packets] I assume it sends them out the interface it is listening on? How does this work when monitoring a cisco switched network? Once I make a port a monitor port, it is read-only and nothing can be sent out on it, so what I've done in the past is put 2 interfaces on my snort sensors. One is a listener, the other is the "management" port that I ssh to, etc, etc.In my experience, this is wrong on both counts. I havesuccessfully usedreal live machines (both by accident *and* by design;long story) with reallive IP addresses plugged into a Cisco SPAN (port mirror,monitoring, callit what you will) port on Catalyst 2924XL and 3524/3548XLswitches. It canmake emergency oh-my-god-everything-broke situations a little morebearableif you can sniff *and* make external connections thru thesame NIC,especially when you have a laptop with a singleinterface... and you need tojust dig that MAC address out of that remote databasewhich is not on yourlaptop!So I guess my question is this.. Can I make the sensor send it's flex-response packets out the 'mgmt' port instead? Surely there are other people with an environment like this [snort, cisco catalyst switches, flex-response] .. What's everyone else doing?As far as I'm aware, snort chucks its' flexresp packetsout via *the defaultgateway* therefore it spits them out thru whatever interface yourdefaultroute points at. YMMV obviously, but as far back as the initial implementations offlexrespsnort didn't do anything too fancy, just generated the packets anddroppedthem on the IP stack for the kernel to handle as itpleased. I'm not tooproud to stand corrected, mind you! Graeme -- Graeme Fowler System Administrator Host Europe Group PLC _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: dual nic, was: flex response and cisco span por ts Burleson, Lee (IA) (Jan 02)