Snort mailing list archives

RE: Monitor multiple VLANs

From: "Douglas McCrea" <dmccrea () rci rutgers edu>
Date: Thu, 16 Oct 2003 12:30:28 -0400

I set the spanport to monitor the trunk port. I've found that only active VLANS seem to be monitored though. If you set 
the port you are monitoring from as trunk and do not use spanport, would that provide improved results (i.e. all VLANS 
on trunk could then be monintored, not just the active VLANS on that particular switch)?

-Doug

-----Original Message-----
From: Gordon Cunningham [mailto:gacunningham () bellsouth net]
Sent: Thursday, October 16, 2003 12:15 PM
To: Martin Jr., D. Michael; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Monitor multiple VLANs

I read your question as how to architect the sniffing fabric of your NIDS.
Depending on traffic levels and how interested you are in local LAN traffic
(ie. what are you protecting?), there are multiple ways to do this, each
with its own limitations.  The basic brute-force way is to set up a span
port for each VLAN you wish to monitor, and plug that into its own sniffing
NIC.  Larger Cisco switches allow multiple span ports - check your IOS
revision and the model of switch you are using.  There are docs on the Cisco
site outlining how to do this.

You can also cascade these span ports into another switch using the transmit
pairs only, as some have outlined in docs on the snort site, which gets you
back to a single or a few sniffer NICs, but this could be easily overloaded
if the traffic load is high on multiple VLANs.

If all your VLANs are trunked back to a big central core switch, you could
span a port from any VLAN and monitor in a centralized location.

- Gordon

"When I finally found a spam filter that worked, I no longer received ANY
email."

 -----Original Message-----
From:   snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]  On Behalf Of Martin Jr.,
D. Michael
Sent:   Thursday, October 16, 2003 10:50 AM
To:     snort-users () lists sourceforge net
Subject:        [Snort-users] Monitor multiple VLANs

I was wondering if anyone out there has been successful in configuring
Snort to monitor traffic on multiple VLANs.  If so, how did you
accomplish this?  We are basically a "Cisco-shop" and are thinking of
segmenting our residence halls (and other areas) into separate VLANs for
security and virus propagation defense.  However, we would like to
configure our Snort box (Windows 2000) to actually be able to see and
"sniff" the traffic on all of the VLANs.

Any suggestions?

Thanks,

Michael Martin
University of Montevallo

-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users

-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Monitor multiple VLANs Martin Jr., D. Michael (Oct 16)
- Re: Monitor multiple VLANs Chris Green (Oct 16)
- RE: Monitor multiple VLANs Jake Seitz (Oct 16)
- RE: Monitor multiple VLANs Gordon Cunningham (Oct 16)
- <Possible follow-ups>
- RE: Monitor multiple VLANs Martin Jr., D. Michael (Oct 16)
- RE: Monitor multiple VLANs Jeremy Junginger (Oct 16)
- RE: Monitor multiple VLANs Douglas McCrea (Oct 16)
- RE: Monitor multiple VLANs Martin Jr., D. Michael (Oct 16)