Snort mailing list archives
Re: Snort and my VLANs
From: Josh Bitto <jbitto () onlineschool ca>
Date: Thu, 14 Feb 2013 16:06:14 -0800
Nevermind…..I figured what I was doing wrong…..I had everything working correctly and I can trigger events….I just installed a port scanner on one of the machines in a VLAN subnet and it triggered…..I’m good to go :D From: Y M [mailto:snort () outlook com] Sent: Thursday, February 14, 2013 2:08 PM To: Josh Bitto; snort-users () lists sourceforge net Subject: RE: [Snort-users] Snort and my VLANs In this case you would need to place sensors between vlans for vlan-to-vlan communication/detection since the traffic will not be reaching the edge WAN or router interface and Snort will not be seeing the traffic. However, if a BYOD is, for example, infected with a malware which may be attempting to communicate to an external IP, then it has to go through the edge router and hence get detected by Snort. This is where a distributed sensors deployment architecture would come in handy. I would suggest starting with, if you have one, the servers vlan to monitor any suspicious activity going to your servers. I hope my answer makes some sense. YM ________________________________ From: Josh Bitto<mailto:jbitto () onlineschool ca> Sent: 2/15/2013 12:57 AM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] Snort and my VLANs I’m having issues where I am not able to determine if I can actually catch bad traffic with snort. Right now I have snort in a test lab where I have interfaces WAN, LAN….and then my VLANS. My firewall does all the routing and has the vlans setup. So when I go to testmyids.com and trigger a rule I get the rule triggered on my WAN interface but not any of my VLANs…… Basically what I’m trying to initiate is if a user brings in a byod…I want to be able to detect anything on that machine when it connects to my internal vlan.
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort and my VLANs Josh Bitto (Feb 14)
- Re: Snort and my VLANs Ayodele Okeowo (Feb 15)
- Re: Snort and my VLANs Josh Bitto (Feb 15)
- Re: Snort and my VLANs Ayodele Okeowo (Feb 15)
- Re: Snort and my VLANs Josh Bitto (Feb 15)
- <Possible follow-ups>
- Re: Snort and my VLANs Y M (Feb 14)
- Re: Snort and my VLANs Josh Bitto (Feb 14)
- Re: Snort and my VLANs Josh Bitto (Feb 14)
- Re: Snort and my VLANs Joel Esler (Feb 15)
- Re: Snort and my VLANs Ayodele Okeowo (Feb 15)