From owner-freebsd-security  Mon Jul  1 12: 5:17 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 53C2E37B400
	for <security@FreeBSD.ORG>; Mon,  1 Jul 2002 12:05:14 -0700 (PDT)
Received: from mail.gcfn.org (mail.gcfn.org [164.107.107.13])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 74B1543E09
	for <security@FreeBSD.ORG>; Mon,  1 Jul 2002 12:05:13 -0700 (PDT)
	(envelope-from kennsmit@gcfn.org)
Received: from gcfn.org (ginsu [192.168.1.14])
	by mail.gcfn.org (8.9.3/8.9.3) with SMTP id PAA04484;
	Mon, 1 Jul 2002 15:01:16 -0400 (EDT)
From: Kenneth Smith <kennsmit@gcfn.org>
Received: from 199.125.55.250
        (SquirrelMail authenticated user kennsmit)
        by www.gcfn.org with HTTP;
        Mon, 1 Jul 2002 15:01:16 -0400 (EDT)
Message-ID: <27779.199.125.55.250.1025550076.squirrel@www.gcfn.org>
Date: Mon, 1 Jul 2002 15:01:16 -0400 (EDT)
Subject: Re: snort + vlans
To: dima@rt.ru
In-Reply-To: <3D20904C.8AF8703C@rt.ru>
References: <3D20904C.8AF8703C@rt.ru>
Cc: security@FreeBSD.ORG
X-Mailer: SquirrelMail (version 1.0.6)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


Dmitry:

Have you looked at the IOS "port monitor"
command?

It is not clear what you are referring
to when you say "my box," but I would
be careful if you are using vlan's to
seperate your unsecured and secured
LAN's.

ks


> mike.jablonski@abnamrousa.com wrote:
>> 
>> you need to enable the span port feature.
>> 
> 
> Sorry, seems my explain was too bad.
> I have internal FW. It is connected to cat2924
> with xl0 at 100Mbit.
> Switch port is in trunk mode.
> there is 2 vlans on xl0: vlan0 and vlan1.
> There is no ip on xl0.
> My defaultouter (cisco 26XX) is in vlan0 (trunk too).
> My office subnet is on vlan1 (all office hosts
> configured as vlan 1 on switch).
> 
> So, my box works as router+FW between vlan0 and vlan1.
> Now it works.
> 
> So, I want to setup snort to detect attacks.
> What iface (xl0, vlan0, or what) shall I bind snort
> (snort -i flag) to make it analyze both internal
> and external traffic?
> 
> Another question is: cisco detects vlans with vtp
> protocol. Does FreeBSD supports it?
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message