OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: twig les (twiglesyahoo.com)
Date: Mon Jul 01 2002 - 14:40:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I don't like being the bearer of bad news, but the
    SPAN feature on the 2900 and 3500 series *sucks*. To
    answer your question about which interface to use,
    bind Snort to the interface that is inside the VLAN
    you want to monitor, because otherwise you won't see
    any traffic. The bigger Catalysts can monitor
    multiple VLANs but not the 29/35s.

    Another limitation of this series is the ability to
    only set one receive port. Again, the bigger switches
    don't have this.

    Also, read this fun fact from Cisco's site:

    "The monitoring port receives copies of transmitted
    and received traffic for all monitored ports. In this
    architecture, a packet destined for multiple
    destinations is stored in memory until all copies have
    been forwarded. If the monitoring port is 50 percent
    oversubscribed for a sustained period of time, it will
    probably become congested and hold part of the shared
    memory. One or more of the ports being monitored might
    then also experience a slowdown."

    http://www.cisco.com/warp/public/473/41.html#archXL

    This pretty much means that if your sniffer port is
    over 50% then it will drag other ports down.

    Cisco has a neat feature called port protection too.
    Well that breaks sniffing also.

    Sorry if this is kind of a rant. I have gone through
    many rites of passage on our Cisco switches (and
    lately the routers...).

    --- "Dmitry S. Rzhavin" <dimart.ru> wrote:
    > mike.jablonskiabnamrousa.com wrote:
    > >
    > > you need to enable the span port feature.
    > >
    >
    > Sorry, seems my explain was too bad.
    > I have internal FW. It is connected to cat2924
    > with xl0 at 100Mbit.
    > Switch port is in trunk mode.
    > there is 2 vlans on xl0: vlan0 and vlan1.
    > There is no ip on xl0.
    > My defaultouter (cisco 26XX) is in vlan0 (trunk
    > too).
    > My office subnet is on vlan1 (all office hosts
    > configured as vlan 1 on switch).
    >
    > So, my box works as router+FW between vlan0 and
    > vlan1.
    > Now it works.
    >
    > So, I want to setup snort to detect attacks.
    > What iface (xl0, vlan0, or what) shall I bind snort
    > (snort -i flag) to make it analyze both internal
    > and external traffic?
    >
    > Another question is: cisco detects vlans with vtp
    > protocol. Does FreeBSD supports it?
    >
    > To Unsubscribe: send mail to majordomoFreeBSD.org
    > with "unsubscribe freebsd-security" in the body of
    > the message

    =====
    -----------------------------------------------------------
    Only fools have all the answers.
    -----------------------------------------------------------

    __________________________________________________
    Do You Yahoo!?
    Yahoo! - Official partner of 2002 FIFA World Cup
    http://fifaworldcup.yahoo.com

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message