|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Snort-users] Using Snort on a Switch via span problem
From: Eric Noel (ericnoel
mylife.ph)
Date: Wed Jul 21 2004 - 19:34:20 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 7/20/2004 12:56 PM, Eric Noel wrote:
> i have a problem with my snort, ive configured the cisco switch for
> span/port forwarding but my problem is that snort is working only if the
> attack is to itself. so if i tried attacking the web server, it doesnt
> log in the snort. Can anyone assist me by giving pointers, reference
> materials or even directly help me?? Thanks guys.
>
> I have the ff snort/acid setup for reference:
>
> NET LAYOUT:
> cisco 2900xl (172.30.16.0 LAN)
> +-------+-------+-------+
> | fa0/1 | fa0/2 | fa0/3 |
> +-------+-------+-------+
>
> fa0/2 = snort (172.30.19.49/255.255.240.0)
> fa0/3 = web server (172.30.19.101/255.255.240.0)
>
> CISCO CONFIG:
> interface FastEthernet0/1
> switchport mode multi
> interface FastEthernet0/2
> port monitor FastEthernet0/3
>
> CISCO SHOW PORT MONITOR:
> Monitor Port Port Being Monitored
> --------------------- ---------------------
> FastEthernet0/2 FastEthernet0/3
>
> SNORT CONF:
> var HOME_NET [172.30.16.0/20]
> var EXTERNAL_NET any
> var HTTP_SERVERS [172.30.19.101/20,172.30.19.102/20]
> var RULE_PATH /etc/snort/rules
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
I tried Matt's revision to my snort's conf but it still just logs only
intrusion directed to the snort server and not to others servers (e.g.
webserver). Anyway, I just installed a sensor on the firewall portion
and log to the snort server just to make ends meet :(. I hope somebody
have a clue on why i still cant detect any intrusion other than my snort
server.
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]