RE: Can Snort monitor multiple VLANs from a single box?

["Escudero, Peter Louis" <peterlouis.escudero () eds com>]

Many thanks to all who gave advice. It now looks like the scanner tool we're
using (nmap v3.81) might be the root cause of the problem. On one Cisco 2950
switch we used nmap to scan a bunch of Sun Solaris boxes, & snort was able
to capture the alerts & send them to the MySQL database on another box. But
when we tried to scan the switch itself, as well as its failover partner,
snort didn't see anything. The other Cisco 2950 switch that's being
monitored by another snort instance is also a 2950, but it only has a Cisco
PIX, a switch & a Cisco CSS on it (no servers). Snort didn't see anything
from that switch, either. The Cisco GigE switch has several Windows servers
on it, but again snort didn't capture any alerts. So my question is, what
options should we use with nmap to simulate attacks on switches, firewalls,
routers & Windows boxes, so we can generate alerts that snort can capture?
The syntax we've been using is "nmap -v -A -T5 <targets>". On the 1st switch
above, we tried all the relevant options available, to no avail.
 

Peter Escudero 


  _____  

From: Basselgia, Barry A Mr (NAF Atsugi)
[mailto:BABasselgia () atsugi navy mil] 
Sent: Tuesday, April 05, 2005 4:49 PM
To: Peter Barton; Snort-users () lists sourceforge net; Escudero, Peter Louis
Subject: RE: [Snort-users] Can Snort monitor multiple VLANs?



I think that it depend on how you have the monitoring/span port on the Cisco
switches configured.  If the port is configured to send the traffic to the
snort box, I don't know why it wouldn't work.  If you try to monitor a GIG
switch with a 10/100 interface in your snort box, the switch is going to
start dropping packets when traffic gets to much for the 10/100 interface.
 
I have a snort sensor running on a Dell Precision 340 with 6 network
interfaces, 4 GIG and 2 10/100.  I'm running SuSE 9.1 and snort 2.3.2.  I
have the 4 GIG interfaces bonded together as bond0 and bond1, I'm using taps
with these interfaces.  One of the 10/100 ports is monitoring a Cisco
switch, the other is my management interface.
 
I have an 3 instances of snort and barnyard running, 1 each for eth0, bond0,
and bond1.  I'm using the same snort config file and rules for all 3
instances.  The startup/sysconfig scripts provided with snort 2.3.2 work
nicely for this.  Just copied the files to init.d and sysconfig.  In the
sysconfig/snort file I have INTERFACE="eth0 bond0 bond1".  The snortd script
then starts 3 instances of snort with no problem.  The unified log files end
up in:
 
/var/log/snort/eth0
/var/log/snort/bond0
/var/log/snort/bond1
 
I then setup 3 barnyard config files, barnyard-eth0.conf,
barnyard-bond0.conf, and barnyard-bond1.conf to process the unified logs
into a mysql database on a different machine.  I copied the snortd script to
barnyardd and modified it to start barnyard instead of snort.  Everything
works pretty good.
 
The whole trick to getting the above to work, is you have to have enough
memory in your snort box.  When I first set this up, I was dropping a lot of
packets, but I only had 256meg of memory.  I upgraded to 512meg and the
packet drop rate when down.  I've got memory on order to take the system to
1gig, I think that will really help. 
 
Barry
 

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Peter Barton
Sent: Wednesday, April 06, 2005 1:02 AM
To: Snort-users () lists sourceforge net
Subject: RE: [Snort-users] Can Snort monitor multiple VLANs?



If you are having Snort log directly to MySql then the easiest way to do it
is to have multiple instances of Snort running, one for each interface.

 

My question to everyone is, what if you use Barnyard to write to MySql and
have Snort just write to binary files.  I still have multiple instances of
Snort running, but I can only seem to get one instance of Barnyard running.
Is there a trick to this or am I just going about this the wrong way?

 

Thanks,

 

Peter Barton

 

 


  _____  


From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Escudero,
Peter Louis
Sent: Tuesday, April 05, 2005 10:54 AM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] Can Snort monitor multiple VLANs?

 

Our IDS box is a Dell PE750 running SuSE Linux 9.1 Pro & snort v2.1.x, with
a quad 10/100 NIC card. Three of the ports are hooked up to 3 different
Cisco switches, representing 3 different VLANs. We're able to capture alerts
from one switch, but not from the others. Is snort able to monitor different
VLANs? Or do we need a separate IDS box for each VLAN? Any info you can
provide will be greatly appreciated.

 

Peter Escudero