Snort mailing list archives
Snort multiple sensor configuration
From: "Stephen Reese" <rsreese () gmail com>
Date: Thu, 9 Oct 2008 00:16:06 -0400
I've recently setup a Debian host running snort 2.8.3.1. There are four nic's in the machine, one is a management interface and the other three connect to various network points. Internet (sensor) <firewall> (sensor) main network (sensor) <router> branch networks The first IP is the Internet so we may see everything coming at it. The first network is the "main network", we want to see everything the firewall misses or if any of our hosts are being naughty so there is a sensor on that side of the firewall. The other networks that follow are all branch networks connect via T1 we want to make sure that the main network isn't sending out or receiving anything naughty. I'm using sessions on three Cisco switches to create the taps. I'm currently running a process for each sensor 1-3: $ sudo /usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -D The basic network configuration is my question. I'm currently using the same configuration file for all three processes. var HOME_NET [66.15.39.1,172.31.1.0/24,172.31.2.0/24,172.31.3.0/24,172.31.4.0/24,172.31.5.0/24] var EXTERNAL_NET !$HOME_NET I've got the ruleset wide open so there is all kinds of alerts at this point and I know I have to cut them back after we figure out what's useful, but are my definitions accurate for the network layout or is there a better method I should be following. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort multiple sensor configuration Stephen Reese (Oct 08)
- Re: Snort multiple sensor configuration Jack Pepper (Oct 09)
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Message not available
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Message not available
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Re: Snort multiple sensor configuration Joel Esler (Oct 10)
- Re: Snort multiple sensor configuration Stephen Reese (Oct 10)
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Re: Snort multiple sensor configuration Jack Pepper (Oct 09)
- Re: Snort multiple sensor configuration Matt Olney (Oct 09)
- Re: Snort multiple sensor configuration Jack Pepper (Oct 09)
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Re: Snort multiple sensor configuration Matt Olney (Oct 09)