Re: Segmenting Network Parts

[Demetri Mouratis <dmourati () cm math uiuc edu>]

On Thu, 20 Mar 2003, Jan van den Berg wrote:

> Hi there,

> I have a machine with 2 NICs which I want to use as the sensor. I'm
> thinking of doing this by plugging this box into the switch with one NIC
> with a read-only cable and/or putting the interface in "stealth" mode
> (so without an IP). The other NIC I want to use for the management
Good.
<snip>
> First how can I make the sensor not to sniff NIC2?

Pass the command line option -i to snort to specify you want to look at
traffic on NIC1 (eth0 or equivalent).

> Or say I want to
> sniff different VLANs and not the entire traffic stream how do I go
> about this?
Two ways come to mind.  First way is to use network topology and
configuration.  If you only want traffic from a certain network, place
your sensor in that network.  You may be able to use the functionality of
your switch to help you as well.

http://www.snort.org/docs/faq.html#1.8

Second way is to use snort bpf filters.

http://www.snort.org/docs/faq.html#3.10

So how do I go about segmenting different network parts off
> of the sensor?

Same as above.

Hope that helps.
---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com



-------------------------------------------------------
This SF.net email is sponsored by: Tablet PC.  
Does your code think in ink? You could win a Tablet PC. 
Get a free Tablet PC hat just for playing. What are you waiting for? 
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users