Snort mailing list archives
Re: Using Snort on a Switch via span problem
From: Eric Noel <ericnoel () mylife ph>
Date: Thu, 22 Jul 2004 08:34:20 +0800
On 7/20/2004 12:56 PM, Eric Noel wrote:
i have a problem with my snort, ive configured the cisco switch for span/port forwarding but my problem is that snort is working only if the attack is to itself. so if i tried attacking the web server, it doesnt log in the snort. Can anyone assist me by giving pointers, reference materials or even directly help me?? Thanks guys.I have the ff snort/acid setup for reference: NET LAYOUT: cisco 2900xl (172.30.16.0 LAN) +-------+-------+-------+ | fa0/1 | fa0/2 | fa0/3 | +-------+-------+-------+ fa0/2 = snort (172.30.19.49/255.255.240.0) fa0/3 = web server (172.30.19.101/255.255.240.0) CISCO CONFIG: interface FastEthernet0/1 switchport mode multi interface FastEthernet0/2 port monitor FastEthernet0/3 CISCO SHOW PORT MONITOR: Monitor Port Port Being Monitored --------------------- --------------------- FastEthernet0/2 FastEthernet0/3 SNORT CONF: var HOME_NET [172.30.16.0/20] var EXTERNAL_NET any var HTTP_SERVERS [172.30.19.101/20,172.30.19.102/20] var RULE_PATH /etc/snort/rules ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
I tried Matt's revision to my snort's conf but it still just logs only intrusion directed to the snort server and not to others servers (e.g. webserver). Anyway, I just installed a sensor on the firewall portion and log to the snort server just to make ends meet :(. I hope somebody have a clue on why i still cant detect any intrusion other than my snort server.
------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using Snort on a Switch via span problem Eric Noel (Jul 19)
- Re: Using Snort on a Switch via span problem Matt Kettler (Jul 20)
- Re: Using Snort on a Switch via span problem Eric Noel (Jul 20)
- Re: Using Snort on a Switch via span problem Matt Kettler (Jul 20)
- Re: Using Snort on a Switch via span problem Eric Noel (Jul 20)
- Re: Using Snort on a Switch via span problem Eric Noel (Jul 21)
- <Possible follow-ups>
- Re: Using Snort on a Switch via span problem SN ORT (Jul 22)
- Re: Using Snort on a Switch via span problem Matt Kettler (Jul 20)