Snort mailing list archives

RE: Ipchains questions

From: "Mayers, Philip J" <p.mayers () ic ac uk>
Date: Tue, 28 Aug 2001 16:40:32 +0100

I could make a great many amusing comments about 3Com switches here ("Sure,
I know how to get it working - first, trick cisco into giving you a
tradein...") but they'd be futile - it wouldn't get rid of the 700-some
SuperStack's we've got!

It's called roving analysis on the 3Com's - from the terminal interface do:

feature
analyzer
add <the port you want the copied traffic to go out of>
start <the port you want to monitor>

Easy.

Regards,
Phil

+------------------------------------------+
| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |
+------------------------------------------+

-----Original Message-----
From: Darrin Powell [mailto:dpowell () lssi net]
Sent: 28 August 2001 15:27
To: Ciaron Gogarty; dpowell () lssi net; Blake Frantz
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Ipchains questions




  The switch I have is a 3com 3300 supper stack 2. Any ideals on how to get 
this one working?



Thanks
Darrin







On Monday 27 August 2001 11:56 am, Ciaron Gogarty wrote:

depends on what type of switch.  If it's a cisco ios based then under the
interface snort is connected to type "port mirror?"  this will give you

the

syntax you need.

If it's a cisco cat os switch its
span port ? or perhaps port span, can never remember.

Cheers,

C

-----Original Message-----
From: Darrin Powell [mailto:dpowell () lssi net]
Sent: 27 August 2001 15:52
To: Blake Frantz
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Ipchains questions



   Yes I am connected through a switch. I am not familiar with how to port
mirror. Could you give me some more info on that or possibly a website.



Thanks for the reply
Darrin

On Friday 24 August 2001 05:32 pm, Blake Frantz wrote:

Is your snort sensor hung off a switch or hub ?  if it's off a switch
then you won't see anything destined to other boxes unless you port
mirror.

-blake

=================================================================
The Government, like diapers, should be replaced regularly, and
often for the same reasons.

On Fri, 24 Aug 2001, Darrin Powell wrote:

   Ok here is my scenario I have a box outside the firewall with a

deny

all ipchians approach running snort. If I scan that box snort picks it
up. In my snort rules I have multiple ip address that I want snort to
monitor.

 var HOME_NET [111.111.111.112,111.111.111.113,111.111.111.114]


The rest of the configuration is pretty much default for

snort-1.8p1-0.

Other than location of rules and conf file.

These other machines have ipchains as well with a deny all approach.

If

scan any of those boxes snort does not pick it up. Should snort pick

up

these other machines or do I have to change my ichains so they can see
eachother?






 Thanks in advance
Darrin


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Ipchains questions Darrin Powell (Aug 24)
- Re: Ipchains questions Blake Frantz (Aug 24)
  - Re: Ipchains questions Darrin Powell (Aug 27)
    - Re: Ipchains questions Blake Frantz (Aug 27)
- <Possible follow-ups>
- RE: Ipchains questions Ciaron Gogarty (Aug 27)
  - Re: Ipchains questions Darrin Powell (Aug 28)
- RE: Ipchains questions Mayers, Philip J (Aug 28)
  - Re: Ipchains questions Borja Marcos (Aug 28)
  - Re: Ipchains questions Darrin Powell (Aug 28)