Snort mailing list archives
RE: Monitor multiple VLANs
From: "Douglas McCrea" <dmccrea () rci rutgers edu>
Date: Thu, 16 Oct 2003 12:30:28 -0400
I set the spanport to monitor the trunk port. I've found that only active VLANS seem to be monitored though. If you set the port you are monitoring from as trunk and do not use spanport, would that provide improved results (i.e. all VLANS on trunk could then be monintored, not just the active VLANS on that particular switch)? -Doug -----Original Message----- From: Gordon Cunningham [mailto:gacunningham () bellsouth net] Sent: Thursday, October 16, 2003 12:15 PM To: Martin Jr., D. Michael; snort-users () lists sourceforge net Subject: RE: [Snort-users] Monitor multiple VLANs I read your question as how to architect the sniffing fabric of your NIDS. Depending on traffic levels and how interested you are in local LAN traffic (ie. what are you protecting?), there are multiple ways to do this, each with its own limitations. The basic brute-force way is to set up a span port for each VLAN you wish to monitor, and plug that into its own sniffing NIC. Larger Cisco switches allow multiple span ports - check your IOS revision and the model of switch you are using. There are docs on the Cisco site outlining how to do this. You can also cascade these span ports into another switch using the transmit pairs only, as some have outlined in docs on the snort site, which gets you back to a single or a few sniffer NICs, but this could be easily overloaded if the traffic load is high on multiple VLANs. If all your VLANs are trunked back to a big central core switch, you could span a port from any VLAN and monitor in a centralized location. - Gordon "When I finally found a spam filter that worked, I no longer received ANY email." -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Martin Jr., D. Michael Sent: Thursday, October 16, 2003 10:50 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Monitor multiple VLANs I was wondering if anyone out there has been successful in configuring Snort to monitor traffic on multiple VLANs. If so, how did you accomplish this? We are basically a "Cisco-shop" and are thinking of segmenting our residence halls (and other areas) into separate VLANs for security and virus propagation defense. However, we would like to configure our Snort box (Windows 2000) to actually be able to see and "sniff" the traffic on all of the VLANs. Any suggestions? Thanks, Michael Martin University of Montevallo ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Monitor multiple VLANs Martin Jr., D. Michael (Oct 16)
- Re: Monitor multiple VLANs Chris Green (Oct 16)
- RE: Monitor multiple VLANs Jake Seitz (Oct 16)
- RE: Monitor multiple VLANs Gordon Cunningham (Oct 16)
- <Possible follow-ups>
- RE: Monitor multiple VLANs Martin Jr., D. Michael (Oct 16)
- RE: Monitor multiple VLANs Jeremy Junginger (Oct 16)
- RE: Monitor multiple VLANs Douglas McCrea (Oct 16)
- RE: Monitor multiple VLANs Martin Jr., D. Michael (Oct 16)