Re: Monitoring Multiple Subnets

[Caleb Jaren <tropism.prophet () gmail com>]

I couldn't make sense out of your diagram as gmail is doing some funky
rendering ATM, but I would imagine that unless your budget is *free* this
would work out pretty well. It has a SPAN port and is under $100 USD.

http://www.amazon.com/Netgear-GS108T-NAS-Prosafe-8-Port-Gigabit/dp/B003KP8VSK

I use one of these both at work and at home for doing monitoring and have
no complaints.

I dont have your setup, but I'd imagine that so long as both routers are
plugged into the unmanaged switch and that $HOME_NET on the snort box is
configured properly it will work. Of course, you'll probably have to set it
up and try it out to be 100% sure. :)


On Mon, May 13, 2013 at 8:23 AM, Shaun Marlin <shaun.marlin () canalta com>wrote:

> That does make sense.  The thing that I am most concerned about is because
> there is an unmanaged switch, could it fail?  I would love to have a SPAN
> setup, but that isn’t in the budget.****
>
> ** **
>
> *From:* Seth Dunn [mailto:seth () d2ms com]
> *Sent:* Monday, May 13, 2013 9:17 AM
> *To:* Shaun Marlin; snort-users () lists sourceforge net
> *Subject:* RE: [Snort-users] Monitoring Multiple Subnets****
>
> ** **
>
> For what I did....I don't have quite the same setup as you, but I needed
> to monitor multiple LANs.
> 10.75.x.x/24 and 10.76.x.x/24****
>
> I am using a Cisco switch for my networks.
> I set up SPAN on my switch, RSPAN is also available, to copy traffic from
> two ports in which inbound/outbound traffic flows for these LANs.....and
> set up the destination port for the port that my Snort box is listening on.
> ****
>
> ** **
>
> Then as someone noted, in your snort.conf file you need to make sure these
> two networks are part of your $HOME variable.****
>
> ** **
>
> *From:* Shaun Marlin [mailto:shaun.marlin () canalta com<shaun.marlin () canalta com>]
>
> *Sent:* Monday, May 13, 2013 11:04 AM
> *To:* snort-users () lists sourceforge net
> *Subject:* [Snort-users] Monitoring Multiple Subnets****
>
> ** **
>
> I am building a SNORT box to monitor my network.  I have 2 ISP’s.  Is it
> possible to have the 2 ISP’s connect into an unmanaged switch, then have
> SNORT configured with an IP from each block that I have, and finally pass
> the traffic back onto the switch that goes into my network?****
>
> ** **
>
> Sorry for the run on question there****
>
> ** **
>
> Essentially I am looking for something like this****
>
> ** **
>
> **
> **** **
>
> ** **
>
> ** **
>
> ************ISP 1****
>
>
> Router
> 1
> Internal Network****
>
>                                                                    ****
>
> ****
> ****
>
> **
> **** **
>
>
> ********ISP
> 2
> Router 2****
>
>
> ****
>
> ****
> SNORT****
>
> ** **
>
> ** **
>
>                                 Unmanaged Switch****
>
> ** **
>
> ** **
>
> SNORT would endup monitoring 3 different subnets.  For instance 1.1.1.0/27
> 2.2.2.0/27 and 3.3.3.0/29.****
>
> ** **
>
> Does anyone see a reason why this would not work****
>
> ** **
>
> *Shaun Marlin*
> Network Administrator
>
>
> *Canalta Family of Companies*****
>
> 2109 - 545 Highway 10 East
> Drumheller AB Canada T0J 0Y0
> PHONE: (403) 820-3865
> CELL:     (403) 334-1313  ****
>
> EMAIL:   shaun.marlin () canalta com
> WEB:      www.canalta.com
>
>  ****
>
> ** **
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and
> their applications. This 200-page book is written by three acclaimed
> leaders in the field. The early access version is available now.
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!