Snort mailing list archives

Re: Using Snort on a Switch via span problem

From: SN ORT <snort_on_acid () yahoo com>
Date: Thu, 22 Jul 2004 06:39:26 -0700 (PDT)

Then you are not seeing the traffic going to those
server(s). You either have the wrong interface
specified in the snort startup command or you are not
soanning properly. DO a dump on the line to be sure
you're even seeing that traffic and check your
cmd-line...

Cheese!

Marc




--__--__--

Message: 2
Date: Thu, 22 Jul 2004 08:34:20 +0800
From: Eric Noel <ericnoel () mylife ph>
To:  snort-users () lists sourceforge net
Subject: Re: [Snort-users] Using Snort on a Switch via
span problem

On 7/20/2004 12:56 PM, Eric Noel wrote:

i have a problem with my snort, ive configured the

cisco switch for

span/port forwarding but my problem is that snort is

working only if the

attack is to itself. so if i tried attacking the web

server, it doesnt

log in the snort. Can anyone assist me by giving

pointers, reference

materials or even directly help me?? Thanks guys.

I have the ff snort/acid setup for reference:

NET LAYOUT:
cisco 2900xl (172.30.16.0 LAN)
+-------+-------+-------+
| fa0/1 | fa0/2 | fa0/3 |
+-------+-------+-------+

fa0/2 = snort (172.30.19.49/255.255.240.0)
fa0/3 = web server (172.30.19.101/255.255.240.0)

CISCO CONFIG:
interface FastEthernet0/1
 switchport mode multi
interface FastEthernet0/2
 port monitor FastEthernet0/3

CISCO SHOW PORT MONITOR:
Monitor Port           Port Being Monitored
---------------------  ---------------------
FastEthernet0/2        FastEthernet0/3

SNORT CONF:
var HOME_NET [172.30.16.0/20]
var EXTERNAL_NET any
var HTTP_SERVERS [172.30.19.101/20,172.30.19.102/20]
var RULE_PATH /etc/snort/rules

-------------------------------------------------------

This SF.Net email is sponsored by BEA Weblogic

Workshop

FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1

today.

http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or

unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users

I tried Matt's revision to my snort's conf but it
still just logs only
intrusion directed to the snort server and not to
others servers (e.g.
webserver). Anyway, I just installed a sensor on the
firewall portion

and log to the snort server just to make ends meet

:>>(. I hope somebody

have a clue on why i still cant detect any intrusion
other than my snort
server.



                
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Using Snort on a Switch via span problem Eric Noel (Jul 19)
- Re: Using Snort on a Switch via span problem Matt Kettler (Jul 20)
  - Re: Using Snort on a Switch via span problem Eric Noel (Jul 20)
    - Re: Using Snort on a Switch via span problem Matt Kettler (Jul 20)
- Re: Using Snort on a Switch via span problem Eric Noel (Jul 21)
- <Possible follow-ups>
- Re: Using Snort on a Switch via span problem SN ORT (Jul 22)