Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: flex response and cisco span ports

From: Graeme Fowler <graeme.fowler () hosteurope com>
Date: Wed, 2 Jan 2002 17:05:08 -0000
tf wrote:


When snort has to respond [ie, send RST packets] I assume it 
sends them out the interface it is listening on?
How does this work when monitoring a cisco switched network?
Once I make a port a monitor port, it is read-only and nothing
can be sent out on it, so what I've done in the past is put 2
interfaces on my snort sensors.  One is a listener, the other
is the "management" port that I ssh to, etc, etc.


In my experience, this is wrong on both counts. I have successfully used
real live machines (both by accident *and* by design; long story) with real
live IP addresses plugged into a Cisco SPAN (port mirror, monitoring, call
it what you will) port on Catalyst 2924XL and 3524/3548XL switches. It can
make emergency oh-my-god-everything-broke situations a little more bearable
if you can sniff *and* make external connections thru the same NIC,
especially when you have a laptop with a single interface... and you need to
just dig that MAC address out of that remote database which is not on your
laptop!


So I guess my question is this.. Can I make the sensor send it's
flex-response packets out the 'mgmt' port instead?  Surely 
there are other people with an environment like this [snort,
cisco catalyst switches, flex-response] .. What's everyone else
doing?


As far as I'm aware, snort chucks its' flexresp packets out via *the default
gateway* therefore it spits them out thru whatever interface your default
route points at.

YMMV obviously, but as far back as the initial implementations of flexresp
snort didn't do anything too fancy, just generated the packets and dropped
them on the IP stack for the kernel to handle as it pleased. I'm not too
proud to stand corrected, mind you!

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: