You want the SNORT server to have its own IP address (or better yet , none at all ) but listening to the mirrored port in promiscuous mode.
A sniffer never replies to Ethernet packets, just listens.
The SNORT server will generate an ARP table relating IP addresses to MAC addresses for your target (and the routers connecting segment to Internet).
The IP/MAC addresses of your target will be used in SORT detects reports etc. Port mirroring basically allows a switched network to imitate a hub for one of its transmission channels.

-----Original Message-----
From: Focus on Intrusion Detection Systems
[mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of McCammon, Keith
Sent: Tuesday, April 17, 2001 14:05
To: FOCUS-IDSSECURITYFOCUS.COM
Subject: Snort Sensor on a Mirrored Port

Hello group. This problem is probably more Ethernet-related than
IDS-related, but I know someone on this list has done the same thing that I
need to do, so here we go...

Machine: TARGET
IP: 10.0.0.1
MAC: 00-00-00-00-00-01
Switch Port: 1

Machine: SNORT
IP: 10.0.0.2
MAC: 00-00-00-00-00-02
Switch Port: 2

I want SNORT to see and analyze all traffic that goes to TARGET. Snort used
to run on each server, but we're scalin' up, and now snort must monitor
traffic to a cluster server. Anyway, I've set my switch (BayStack 450-24T)
so that port 2 mirrors all traffic to and from port 1 (<-> Port X, where
port X is 1).

My question is this: Do I assign SNORT the same IP as TARGET? How will my
Snort
sensor see the traffic in terms of source and destination coming from the
switch? Scenario: A rogue packet is headed for TARGET, and also for SNORT
(via the mirror). Will
SNORT (at 10.0.0.2) accept the packet just as TARGET would have, and log it
as an attempt
against 10.0.0.1? If so, how is SNORT answering for 00-00-00-00-00-01, when
it's MAC is 00-00-00-00-00-02? Do both switch ports simply answer for
00-00-00-00-00-01, and do the machines/NIC's not care?

A bit confused. Many thanks in advance.

Keith

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]