Re: [Snort-users] Using Snort on a Switch via span problem
This is a discussion on Re: [Snort-users] Using Snort on a Switch via span problem within the Snort forums, part of the System Security and Security Related category; On 7/20/2004 12:56 PM, Eric Noel wrote: > i have a problem with my snort, ive configured ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-22-2004
|
|||
|
|||
Re: [Snort-users] Using Snort on a Switch via span problem
On 7/20/2004 12:56 PM, Eric Noel wrote:
> i have a problem with my snort, ive configured the cisco switch for > span/port forwarding but my problem is that snort is working only if the > attack is to itself. so if i tried attacking the web server, it doesnt > log in the snort. Can anyone assist me by giving pointers, reference > materials or even directly help me?? Thanks guys. > > I have the ff snort/acid setup for reference: > > NET LAYOUT: > cisco 2900xl (172.30.16.0 LAN) > +-------+-------+-------+ > | fa0/1 | fa0/2 | fa0/3 | > +-------+-------+-------+ > > fa0/2 = snort (172.30.19.49/255.255.240.0) > fa0/3 = web server (172.30.19.101/255.255.240.0) > > CISCO CONFIG: > interface FastEthernet0/1 > switchport mode multi > interface FastEthernet0/2 > port monitor FastEthernet0/3 > > CISCO SHOW PORT MONITOR: > Monitor Port Port Being Monitored > --------------------- --------------------- > FastEthernet0/2 FastEthernet0/3 > > SNORT CONF: > var HOME_NET [172.30.16.0/20] > var EXTERNAL_NET any > var HTTP_SERVERS [172.30.19.101/20,172.30.19.102/20] > var RULE_PATH /etc/snort/rules > > > ------------------------------------------------------- > This SF.Net email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise J2EE developer tools! > Get your free copy of BEA WebLogic Workshop 8.1 today. > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > I tried Matt's revision to my snort's conf but it still just logs only intrusion directed to the snort server and not to others servers (e.g. webserver). Anyway, I just installed a sensor on the firewall portion and log to the snort server just to make ends meet :(. I hope somebody have a clue on why i still cant detect any intrusion other than my snort server. ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
