Snort mailing list archives
Re: Using Snort on a Switch via span problem
From: SN ORT <snort_on_acid () yahoo com>
Date: Thu, 22 Jul 2004 06:39:26 -0700 (PDT)
Then you are not seeing the traffic going to those server(s). You either have the wrong interface specified in the snort startup command or you are not soanning properly. DO a dump on the line to be sure you're even seeing that traffic and check your cmd-line... Cheese! Marc --__--__-- Message: 2 Date: Thu, 22 Jul 2004 08:34:20 +0800 From: Eric Noel <ericnoel () mylife ph> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Using Snort on a Switch via span problem On 7/20/2004 12:56 PM, Eric Noel wrote:
i have a problem with my snort, ive configured the
cisco switch for
span/port forwarding but my problem is that snort is
working only if the
attack is to itself. so if i tried attacking the web
server, it doesnt
log in the snort. Can anyone assist me by giving
pointers, reference
materials or even directly help me?? Thanks guys. I have the ff snort/acid setup for reference: NET LAYOUT: cisco 2900xl (172.30.16.0 LAN) +-------+-------+-------+ | fa0/1 | fa0/2 | fa0/3 | +-------+-------+-------+ fa0/2 = snort (172.30.19.49/255.255.240.0) fa0/3 = web server (172.30.19.101/255.255.240.0) CISCO CONFIG: interface FastEthernet0/1 switchport mode multi interface FastEthernet0/2 port monitor FastEthernet0/3 CISCO SHOW PORT MONITOR: Monitor Port Port Being Monitored --------------------- --------------------- FastEthernet0/2 FastEthernet0/3 SNORT CONF: var HOME_NET [172.30.16.0/20] var EXTERNAL_NET any var HTTP_SERVERS [172.30.19.101/20,172.30.19.102/20] var RULE_PATH /etc/snort/rules
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic
Workshop
FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1
today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or
unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
I tried Matt's revision to my snort's conf but it still just logs only intrusion directed to the snort server and not to others servers (e.g. webserver). Anyway, I just installed a sensor on the firewall portionand log to the snort server just to make ends meet
:>>(. I hope somebody
have a clue on why i still cant detect any intrusion other than my snort server.
__________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Using Snort on a Switch via span problem Eric Noel (Jul 19)
- Re: Using Snort on a Switch via span problem Matt Kettler (Jul 20)
- Re: Using Snort on a Switch via span problem Eric Noel (Jul 20)
- Re: Using Snort on a Switch via span problem Matt Kettler (Jul 20)
- Re: Using Snort on a Switch via span problem Eric Noel (Jul 20)
- Re: Using Snort on a Switch via span problem Eric Noel (Jul 21)
- <Possible follow-ups>
- Re: Using Snort on a Switch via span problem SN ORT (Jul 22)
- Re: Using Snort on a Switch via span problem Matt Kettler (Jul 20)