Snort mailing list archives
Stealth sensor on SPAN port w/o tap
From: Robert MacKinnon <robert.mackinnon () broadpark no>
Date: Wed, 06 Nov 2002 16:29:59 +0100
I've been experimenting with getting my first snort sensor online but have not had success yet with configuring SPAN on the port to which the sensor is installed in a stealth mode.
The environ is PC with dual 100Mb NICs, snort v1.9.0 on RH v7.3. One NIC (eth1) is connected into a managment net and configured with an IP address. The other interface (eth0) is connected to a SPAN port (monitoring three other ports on the same Catalyst 2900XL, same VLAN) and has no IP address assigned.
Running "snort -dev -i eth0" produces no output. OpenPCap() warns about the missing IPv4 address but absolutely no packets are captured. If I assign an IP address to the port, capturing functions as expected.
I've read all I can find on the Internet about taps, SPAN ports and snort but nothing addresses this problem. Will I have to invest in a tap to get this to work? TIA.
- Rob. -------------------------------------------------------This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stealth sensor on SPAN port w/o tap Robert MacKinnon (Nov 06)
- <Possible follow-ups>
- RE: Stealth sensor on SPAN port w/o tap Security Admin (Nov 06)
- Stealth sensor on SPAN port w/o tap Robert MacKinnon (Nov 10)
- Re: Stealth sensor on SPAN port w/o tap Erek Adams (Nov 11)
- Re: Stealth sensor on SPAN port w/o tap Bennett Todd (Nov 13)
- Re: Stealth sensor on SPAN port w/o tap Erek Adams (Nov 11)