On Monday 20 May 2002 8:49 pm, Ramin Alidousti wrote: > > > Plugging the snort box into all these 4 LANs requires that snort > > > sees all the packets on each LAN, which means that you either have > > > no switch in each LAN or need to mirror all the traffic to the snort > > > switch port. Hmmm. Good luck. > > > > No, you just plug each network card on the snort box into a hub connected > > to the corresponding leg of the router. Then the snort box gets to see > > all packets to or from another network, and doesn't need to know about > > packets > > Wasn't he saying that the attack was coming from within the subnet? > If the attack is not within the same subnet then simple anti-spoofing > ACL's on the Cisco interfaces do the work without the need of snorting...
Looking back over this thread I can't tell whether the attacker and the target are on the same subnet or not. Maciej says that the address which was spoofed was on the same subnet as the spoofer, but I can't see that he says whether the target was remote or local. I kind of assumed that the target was not on the same subnet as the attacker, otherwise he wouldn't have given us the initial picture of his router with the 4 interfaces..... ? Antony.
