From owner-freebsd-security Mon Jul 1 12:40:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58BC737B400 for ; Mon, 1 Jul 2002 12:40:24 -0700 (PDT) Received: from web10106.mail.yahoo.com (web10106.mail.yahoo.com [216.136.130.56]) by mx1.FreeBSD.org (Postfix) with SMTP id 21AF943E26 for ; Mon, 1 Jul 2002 12:40:24 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020701194023.12286.qmail@web10106.mail.yahoo.com> Received: from [68.5.49.41] by web10106.mail.yahoo.com via HTTP; Mon, 01 Jul 2002 12:40:23 PDT Date: Mon, 1 Jul 2002 12:40:23 -0700 (PDT) From: twig les Subject: Re: snort + vlans To: "Dmitry S. Rzhavin" , mike.jablonski@abnamrousa.com, security@FreeBSD.ORG In-Reply-To: <3D20904C.8AF8703C@rt.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I don't like being the bearer of bad news, but the SPAN feature on the 2900 and 3500 series *sucks*. To answer your question about which interface to use, bind Snort to the interface that is inside the VLAN you want to monitor, because otherwise you won't see any traffic. The bigger Catalysts can monitor multiple VLANs but not the 29/35s. Another limitation of this series is the ability to only set one receive port. Again, the bigger switches don't have this. Also, read this fun fact from Cisco's site: "The monitoring port receives copies of transmitted and received traffic for all monitored ports. In this architecture, a packet destined for multiple destinations is stored in memory until all copies have been forwarded. If the monitoring port is 50 percent oversubscribed for a sustained period of time, it will probably become congested and hold part of the shared memory. One or more of the ports being monitored might then also experience a slowdown." http://www.cisco.com/warp/public/473/41.html#archXL This pretty much means that if your sniffer port is over 50% then it will drag other ports down. Cisco has a neat feature called port protection too. Well that breaks sniffing also. Sorry if this is kind of a rant. I have gone through many rites of passage on our Cisco switches (and lately the routers...). --- "Dmitry S. Rzhavin" wrote: > mike.jablonski@abnamrousa.com wrote: > > > > you need to enable the span port feature. > > > > Sorry, seems my explain was too bad. > I have internal FW. It is connected to cat2924 > with xl0 at 100Mbit. > Switch port is in trunk mode. > there is 2 vlans on xl0: vlan0 and vlan1. > There is no ip on xl0. > My defaultouter (cisco 26XX) is in vlan0 (trunk > too). > My office subnet is on vlan1 (all office hosts > configured as vlan 1 on switch). > > So, my box works as router+FW between vlan0 and > vlan1. > Now it works. > > So, I want to setup snort to detect attacks. > What iface (xl0, vlan0, or what) shall I bind snort > (snort -i flag) to make it analyze both internal > and external traffic? > > Another question is: cisco detects vlans with vtp > protocol. Does FreeBSD supports it? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message