Snort mailing list archives
Re: flex response and cisco span ports
From: Rich Adamson <radamson () routers com>
Date: Thu, 3 Jan 2002 21:09:11 -0600
"Use" of a switch port while the port is being used to mirror other ports has changed between different versions of Cisco software, and varys from one vendor's switch to another. The current Cisco versions (for small switches) seem to be oriented towards allowing the use of the port while the large switches (=>4000) have an optional parameter to turn the function on or off. User's choice. ------------------------
This is not correct...I use port monitoring and port spanning on my switched networks..and have no problem sending and recieving data on these ports..... ----- Original Message -----When snort has to respond [ie, send RST packets] I assume it sends them out the interface it is listening on? How does this work when monitoring a cisco switched network? Once I make a port a monitor port, it is read-only and nothing can be sent out on it, so what I've done in the past is put 2 interfaces on my snort sensors. One is a listener, the other is the "management" port that I ssh to, etc, etc.In my experience, this is wrong on both counts. I have successfully used real live machines (both by accident *and* by design; long story) withreallive IP addresses plugged into a Cisco SPAN (port mirror, monitoring, call it what you will) port on Catalyst 2924XL and 3524/3548XL switches. It can make emergency oh-my-god-everything-broke situations a little morebearableif you can sniff *and* make external connections thru the same NIC, especially when you have a laptop with a single interface... and you needtojust dig that MAC address out of that remote database which is not on your laptop!So I guess my question is this.. Can I make the sensor send it's flex-response packets out the 'mgmt' port instead? Surely there are other people with an environment like this [snort, cisco catalyst switches, flex-response] .. What's everyone else doing?As far as I'm aware, snort chucks its' flexresp packets out via *thedefaultgateway* therefore it spits them out thru whatever interface your default route points at. YMMV obviously, but as far back as the initial implementations of flexresp snort didn't do anything too fancy, just generated the packets and dropped them on the IP stack for the kernel to handle as it pleased. I'm not too proud to stand corrected, mind you! Graeme -- Graeme Fowler System Administrator Host Europe Group PLC _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------End of Original Message----------------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flex response and cisco span ports tyler (Jan 02)
- Re: flex response and cisco span ports Greg Herlein (Jan 02)
- <Possible follow-ups>
- RE: flex response and cisco span ports Graeme Fowler (Jan 02)
- Re: flex response and cisco span ports Greg Robinson (Jan 02)
- Re: flex response and cisco span ports Rich Adamson (Jan 03)
- Re: flex response and cisco span ports John Roberds (Jan 02)
- Re: dual nic, was: flex response and cisco span ports Byron (Jan 02)
- Re: flex response and cisco span ports Greg Robinson (Jan 02)
- RE: flex response and cisco span ports tyler (Jan 02)
- RE: flex response and cisco span ports tyler (Jan 02)