Re: Security onion, Snort, plus subnets?

["Castle, Shane" <scastle () bouldercounty org>]

Also, since this is a virtual environment, you may need to modify the virtual switch configuration to permit 
promiscuous mode on the sniffing interface (at any rate this must be done for VMware).

Have you done your homework on sizing the disk storage required? If not, you might be surprised.

-- 
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-----Original Message-----
From: Doug Burks [mailto:doug.burks () gmail com] 
Sent: Tuesday, April 24, 2012 10:36
To: Corbin Fletcher
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Security onion, Snort, plus subnets?

Hi Corbin,

You should have one dedicated management interface (with an IP
address) and one or more sniffing interfaces (without IP addresses)
that receive traffic from your tap/span ports.  You can configure the
interfaces to be monitored in the Security Onion Setup wizard.  If you
choose Quick Setup, Security Onion will automatically monitor all
ethernet interfaces.  If you choose Advanced Setup, you'll be able to
choose one or more interfaces to be monitored.

If you have more questions specific to Security Onion, please feel
free to use our Security Onion mailing list:
http://groups.google.com/group/security-onion

Thanks,
Doug

On Tue, Apr 24, 2012 at 11:30 AM, Corbin Fletcher <corbin () freeway com> wrote:
> Hello All--
>
> We have made some good progress...we now have installed Security Onion
> in a virtual environment, on our data center, and we have configured
> Snort. We are using Squert, Snorby, and Squil to monitor events as the
> occur.
>
> Our sensor appears to only be monitoring traffic on our private network
> (subnet), 10.10.xx.xxx This is also the subnet where our sensor lives.
> Our sensors IP address is 10.10.xx.xxx
>
> The next step is to configure our Snort sensor to monitor all traffic
> coming from our main switch (Cisco 2960G) e.g., monitor all traffic on
> our network.
>
> We will need to configure Snort to watch the SPAN port on our switch.
>
> Can anyone advise on how bets to achieve this goal- on the sensor side?
> Do we need to add a network in the Snort config file? I am lost at this
> point and any advice on Snort configuration is much appreciated.
>
> Is there another way to best and easily achieve our goal to monitor all
> traffic on our network with Snort?
>
> Another way to ask this question...how can I configure Snort to monitor
> all traffic throughout our small data center, which provides VoIP
> services, including private address (e.g., 10.10.xx.xxx)
> and other sub nets 66.113.xx.xxx
>
> At this point, Snort is monitoring on a small segment (subnet) on a
> large network; therefore, we are not receiving the full benefit of the
> data our Snort sensor is collecting.
>
> Thanks in advance...any information will be helpful. ~Corbin
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!