Snort mailing list archives
RE: SNORT and VLans
From: "Martin Jr., D. Michael" <martinm () montevallo edu>
Date: Thu, 26 Feb 2004 17:05:22 -0600
What you are describing is exactly the way we are configured. We monitor all traffic (internal and external) on all 80+ vlans using one Snort box. Luckily, our network topology has everything coming back to one single core switch (Catalyst 4006) so we just setup monitoring of all ports back to a single port for the Snort IDS. The syntax of our commands are as follows: monitor session 1 source interface Gi1/1 - 2 monitor session 1 source interface Gi3/1 - 6 monitor session 1 source interface Gi4/1 - 6 monitor session 1 source interface Fa5/1 - 26 , Fa5/28 - 48 monitor session 1 source interface Fa6/1 - 48 monitor session 1 destination interface Fa5/27 This setup has been a godsend for us in helping to locate possible infected machines. One problem with our installation of Snort (as I am afraid any IDS would have to some degree) is the "false positives" we sometimes get. You can automate all you want but you will always need a human being to sort through the data. Hope this helps, Michael Martin University of Montevallo _____ From: Puetz, Christoph [mailto:christoph.puetz () thomson com] Sent: Thursday, February 26, 2004 12:11 PM To: 'snort-users () lists sourceforge net.' Subject: [Snort-users] SNORT and VLans Hello, We're looking into the option of putting a NIDS system into place. We're not just interested in seeing what is coming from the outside, but we also want to monitor our VLans for unusual activity (e.g. virus outbreaks, infected machines sending out SPAM or broadcasting the payload via RPC buffer overflows and all that 'good' stuff). Is SNORT an option for us at all? What would be the approach if I want to monitor about 10 VLans and the uplink to the Internet? Do I just throw 10 clients/sensors out to cover each VLan that report back to the main box? Or would I need 10 additional ports on my Cisco switches (1 for each VLan)? Or is one bastion host on the uplink capable to give me the information I need from every VLan? I noticed in the archives that some information is being stripped off when VLans are involved. Thanks for your feedback. Chris ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Current thread:
- SNORT and VLans Puetz, Christoph (Feb 26)
- Re: SNORT and VLans twig les (Feb 26)
- <Possible follow-ups>
- RE: SNORT and VLans Martin Jr., D. Michael (Feb 26)
- Re: SNORT and VLans Jason Haar (Feb 26)