Snort mailing list archives
Re: Security onion, Snort, plus subnets?
From: Doug Burks <doug.burks () gmail com>
Date: Tue, 24 Apr 2012 12:36:06 -0400
Hi Corbin, You should have one dedicated management interface (with an IP address) and one or more sniffing interfaces (without IP addresses) that receive traffic from your tap/span ports. You can configure the interfaces to be monitored in the Security Onion Setup wizard. If you choose Quick Setup, Security Onion will automatically monitor all ethernet interfaces. If you choose Advanced Setup, you'll be able to choose one or more interfaces to be monitored. If you have more questions specific to Security Onion, please feel free to use our Security Onion mailing list: http://groups.google.com/group/security-onion Thanks, Doug On Tue, Apr 24, 2012 at 11:30 AM, Corbin Fletcher <corbin () freeway com> wrote:
Hello All-- We have made some good progress...we now have installed Security Onion in a virtual environment, on our data center, and we have configured Snort. We are using Squert, Snorby, and Squil to monitor events as the occur. Our sensor appears to only be monitoring traffic on our private network (subnet), 10.10.xx.xxx This is also the subnet where our sensor lives. Our sensors IP address is 10.10.xx.xxx The next step is to configure our Snort sensor to monitor all traffic coming from our main switch (Cisco 2960G) e.g., monitor all traffic on our network. We will need to configure Snort to watch the SPAN port on our switch. Can anyone advise on how bets to achieve this goal- on the sensor side? Do we need to add a network in the Snort config file? I am lost at this point and any advice on Snort configuration is much appreciated. Is there another way to best and easily achieve our goal to monitor all traffic on our network with Snort? Another way to ask this question...how can I configure Snort to monitor all traffic throughout our small data center, which provides VoIP services, including private address (e.g., 10.10.xx.xxx) and other sub nets 66.113.xx.xxx At this point, Snort is monitoring on a small segment (subnet) on a large network; therefore, we are not receiving the full benefit of the data our Snort sensor is collecting. Thanks in advance...any information will be helpful. ~Corbin ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Doug Burks | http://securityonion.blogspot.com Don't miss SANS SEC503 Intrusion Detection In-Depth in Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members! http://augusta.issa.org/drupal/SANS-Augusta-2012 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Security onion, Snort, plus subnets? Corbin Fletcher (Apr 24)
- Re: Security onion, Snort, plus subnets? Doug Burks (Apr 24)
- Re: Security onion, Snort, plus subnets? Castle, Shane (Apr 24)
- Re: Security onion, Snort, plus subnets? Doug Burks (Apr 24)