Re: Flexresp question

["Kristofer T. Karas" <ktk () enterprise bidmc harvard edu>]

ravath k wrote:

> My basic question is if a port is configured as SPAN
> port, can it send packets on that interface? If not,
> how snort will reset connections?
>  

No, SPAN'ed ports (on Cisco in any case) are read-only.  If you are 
using a UNIX platform, you should configure your ethernet interface (the 
one connected to the SPANed port) to have no IP address and disable ARP 
and BROADCAST (if applicable).  On Windows, you remove any protocol 
stack from the device.  No packets should be sent out over it, as 
they'll be silently discarded by the Cisco switch.  Some utilities (such 
as tcpkill from Doug Song's "dsniff" package) will send the resets back 
on the same interface the originating traffic came in on; they don't work.

Snort does the right thing by sending the resets out via the OS's normal 
routing table.  So they'll go out via the administrative port.  Just 
make sure that the VLAN your admin port is on will properly route the 
packets (that have forged src IP) to the intended destination.

Kris



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users