OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Fallon, Benjamin (bfallonBusinessedge.com)
Date: Tue Apr 02 2002 - 05:03:46 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Cisco calls em span ports.

    Ben

    (Just had to get my two cents in there ;-) )
    -----Original Message-----
    From: Jason Yates [mailto:jyatesdataservice.org]
    Sent: Monday, April 01, 2002 3:56 PM
    To: Salomon, Charlie
    Cc: snort-userslists.sourceforge.net
    Subject: Re: [Snort-users] nmap scans don't appear in portscan.log

    On Mon, 2002-04-01 at 15:24, Salomon, Charlie wrote:
    > I'm a Snort newbie and need some help. I configured Snort 1.8.4 on
    > Linux (Slackware 7.1) with the default snort.conf file except for the
    HOME_NET variable. We use a 172.xx.x.0 internal network with a
    255.255.252.0 mask. The HOME_NET entry is 172.xx.x.0/22.
    >
    > I ran nmap against the Snort box and the scans were properly detected.
    > However, when I ran a scan against nother machines on our network, the
    > scans were not detected. I am running snort as a daemon with the
    > following parameters:
    >
    > snort -b -y -A fast -c snort.conf -M wrkstns -D
    >
    > I ran snort -vde, and I am seeing packets from other machines. All
    > scans are from an internal machine to other internal machines, and on the
    same subnet.
    > All preprocesors pertaining to scans are active as well as the scan.rules.

    Unless you have snort hooked up to a monitor port, on switch or something.
    Snort can't see the traffic, therefore it can't report bad traffic. You
    should probably check with your Network Administrator, and ask him/her to
    make a monitor port on your switch. I actually duplicate all the traffic
    going to and from my router port on to another port, which is hooked up to a
    monitor server. 3com switches call this feature roving analysis, and I
    can't remember what cisco calls it.

    If you need any help email me.

    -Jason

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users