flex response and cisco span ports

[tyler () ibill com]

Gang,

I'm going to be implementing a distributed snort configuration soon and I
have a question regarding flex-response as that's something I'd like to use.

When snort has to respond [ie, send RST packets] I assume it sends them out
the interface it is listening on?  How does this work when monitoring a
cisco switched network?  Once I make a port a monitor port, it is read-only
and nothing can be sent out on it, so what I've done in the past is put 2
interfaces on my snort sensors.  One is a listener, the other is the
"management" port that I ssh to, etc, etc.

So I guess my question is this.. Can I make the sensor send it's
flex-response packets out the 'mgmt' port instead?  Surely there are other
people with an environment like this [snort, cisco catalyst switches,
flex-response] .. What's everyone else doing?

Thanks,

tf.


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager at postmaster () ibill com.
**********************************************************************

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users