Snort mailing list archives

RE: SNORT and VLans

From: "Martin Jr., D. Michael" <martinm () montevallo edu>
Date: Thu, 26 Feb 2004 17:05:22 -0600

What you are describing is exactly the way we are configured.  We
monitor all traffic (internal and external) on all 80+ vlans using one
Snort box.  Luckily, our network topology has everything coming back to
one single core switch (Catalyst 4006) so we just setup monitoring of
all ports back to a single port for the Snort IDS.  The syntax of our
commands are as follows:

 

monitor session 1 source interface Gi1/1 - 2

monitor session 1 source interface Gi3/1 - 6

monitor session 1 source interface Gi4/1 - 6

monitor session 1 source interface Fa5/1 - 26 , Fa5/28 - 48

monitor session 1 source interface Fa6/1 - 48

monitor session 1 destination interface Fa5/27

 

This setup has been a godsend for us in helping to locate possible
infected machines.  One problem with our installation of Snort (as I am
afraid any IDS would have to some degree) is the "false positives" we
sometimes get.  You can automate all you want but you will always need a
human being to sort through the data.

 

Hope this helps,

 

Michael Martin

University of Montevallo

 

 

  _____  

From: Puetz, Christoph [mailto:christoph.puetz () thomson com] 
Sent: Thursday, February 26, 2004 12:11 PM
To: 'snort-users () lists sourceforge net.'
Subject: [Snort-users] SNORT and VLans

 

Hello,

 

We're looking into the option of putting a NIDS system into place. We're
not just interested in seeing what is coming from the outside, but we
also want to monitor our VLans for unusual activity (e.g. virus
outbreaks, infected machines sending out SPAM or broadcasting the
payload via RPC buffer overflows and all that 'good' stuff). 

 

Is SNORT an option for us at all? What would be the approach if I want
to monitor about 10 VLans and the uplink to the Internet? Do I just
throw 10 clients/sensors out to cover each VLan that report back to the
main box? Or would I need 10 additional ports on my Cisco switches (1
for each VLan)? Or is one bastion host on the uplink capable to give me
the information I need from every VLan? I noticed in the archives that
some information is being stripped off when VLans are involved.

 

Thanks for your feedback.

 

Chris


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

Current thread:

SNORT and VLans Puetz, Christoph (Feb 26)
- Re: SNORT and VLans twig les (Feb 26)
- <Possible follow-ups>
- RE: SNORT and VLans Martin Jr., D. Michael (Feb 26)
  - Re: SNORT and VLans Jason Haar (Feb 26)