[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: [Snort-users] eliminating multicasts to reduce false positives
From: Juan Fernandez <Juan.Fernandez () deltathree ! com>
Date: 2004-11-30 11:26:20
Message-ID: BF16A3E26393CB488FE7A88F34D19ED80D44E8CA () n171-18 ! deltathree ! com
[Download RAW message or body]
HI,
I read in intrusion detection with snort from jack koziol that it is a good
idea to eliminate multicasts on the mirrored port that the sensor is
installed.
I have a cisco 2900 switch Is it possible to do this ? ( I mirror the
firewall port in the dmz ). I mean disable the multicasts on the mirrored
port and them mirror it).
What are the consciences of disabling multicasts anyway?
Thanks !!!
Juan
[Attachment #3 (text/html)]
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
text-align:right;
direction:rtl;
unicode-bidi:embed;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:595.3pt 841.9pt;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1 dir=RTL>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'>HI,<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>I
read in intrusion detection with snort from jack koziol that it is a good idea
to eliminate multicasts on the mirrored port that the sensor is \
installed.<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>I
have a cisco 2900 switch Is it possible to do this ? ( I mirror the firewall
port in the dmz ). I mean disable the multicasts on the mirrored port and them
mirror it).<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'>What
are the consciences of disabling multicasts anyway?<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><font size=2 face=Arial><span \
style='font-size:10.0pt;font-family:Arial'>Thanks
!!!<o:p></o:p></span></font></p>
<p class=MsoNormal dir=RTL><font size=2 face=Arial><span dir=LTR
style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:
embed'><strong><b><font size=2 color=navy face=Verdana><span style='font-size:
10.0pt;font-family:Verdana;color:navy'>Juan \
</span></font></b></strong><o:p></o:p></p>
<p class=MsoNormal dir=RTL><font size=3 face="Times New Roman"><span dir=LTR
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic