Snort mailing list archives
RE: Can Snort monitor multiple VLANs from a single box?
From: "Escudero, Peter Louis" <peterlouis.escudero () eds com>
Date: Tue, 5 Apr 2005 15:14:25 -0400
Thanks, it's the same file in SuSE. So do I say INTERFACE="eth1 eth2 eth3" or INTERFACE="eth1, eth2, eth3"? Are you also saying that I don't need to have a separate IDS box for each VLAN, that snort can sniff on multiple VLANs from a single box? Peter Escudero -----Original Message----- From: Robert Bilbrey [mailto:rbilbrey () naasecurity net] Sent: Tuesday, April 05, 2005 10:40 AM To: Escudero, Peter Louis Subject: Re: [Snort-users] Can Snort monitor multiple VLANs? I don't know about Suse, but on RHEL3 you define the interfaces you want snort to listen on in /etc/sysconfig/snort. Edit the line: INTERFACE="eth1" to include the interfaces to listen on. The init script will use this to launch the appropriate number of instances of snortd listening on the interfaces listed. bb Escudero, Peter Louis wrote:
Thanks for the input, Peter. Sorry I can't help you with Barnyard. One
of the Cisco switches we can't capture alerts from is GigE. Does that matter? The Dell PE750 has 2 onboard GigE NICs. Should we hook up one of them to the Cisco GigE switch then, & have snort sniff on that interface? We, too, have multiple instances of snort running. Please advise. Thanks again. Peter Escudero *From:* snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] *On Behalf Of *Peter Barton *Sent:* Tuesday, April 05, 2005 9:02 AM *To:* Snort-users () lists sourceforge net *Subject:* RE: [Snort-users] Can Snort monitor multiple VLANs? If you are having Snort log directly to MySql then the easiest way to do it is to have multiple instances of Snort running, one for each interface. My question to everyone is, what if you use Barnyard to write to MySql and have Snort just write to binary files. I still have multiple instances of Snort running, but I can only seem to get
one
instance of Barnyard running. Is there a trick to this or am I
just
going about this the wrong way?
Thanks,
Peter Barton
* From: * snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] *On Behalf Of
*Escudero, Peter Louis
*Sent:* Tuesday, April 05, 2005 10:54 AM
*To:* Snort-users () lists sourceforge net
*Subject:* [Snort-users] Can Snort monitor multiple VLANs?
Our IDS box is a Dell PE750 running SuSE Linux 9.1 Pro & snort
v2.1.x, with a quad 10/100 NIC card. Three of the ports are hooked
up to 3 different Cisco switches, representing 3 different VLANs.
We're able to capture alerts from one switch, but not from the
others. Is snort able to monitor different VLANs? Or do we need a
separate IDS box for each VLAN? Any info you can provide will be
greatly appreciated.
Peter Escudero
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Can Snort monitor multiple VLANs from a single box? Escudero, Peter Louis (Apr 05)
- <Possible follow-ups>
- RE: Can Snort monitor multiple VLANs from a single box? Escudero, Peter Louis (Apr 06)