Snort mailing list archives
Re: Flexresp question
From: "Kristofer T. Karas" <ktk () enterprise bidmc harvard edu>
Date: Fri, 05 Mar 2004 14:12:11 -0500
ravath k wrote:
My basic question is if a port is configured as SPAN port, can it send packets on that interface? If not, how snort will reset connections?
No, SPAN'ed ports (on Cisco in any case) are read-only. If you are using a UNIX platform, you should configure your ethernet interface (the one connected to the SPANed port) to have no IP address and disable ARP and BROADCAST (if applicable). On Windows, you remove any protocol stack from the device. No packets should be sent out over it, as they'll be silently discarded by the Cisco switch. Some utilities (such as tcpkill from Doug Song's "dsniff" package) will send the resets back on the same interface the originating traffic came in on; they don't work.
Snort does the right thing by sending the resets out via the OS's normal routing table. So they'll go out via the administrative port. Just make sure that the VLAN your admin port is on will properly route the packets (that have forged src IP) to the intended destination.
Kris ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flexresp question ravath k (Mar 04)
- <Possible follow-ups>
- flexresp question ravath k (Mar 04)
- Flexresp question ravath k (Mar 05)
- Re: Flexresp question Kristofer T. Karas (Mar 05)