Snort mailing list archives
Re: Security onion, Snort, plus subnets?
From: "Castle, Shane" <scastle () bouldercounty org>
Date: Tue, 24 Apr 2012 16:52:02 +0000
Also, since this is a virtual environment, you may need to modify the virtual switch configuration to permit promiscuous mode on the sniffing interface (at any rate this must be done for VMware). Have you done your homework on sizing the disk storage required? If not, you might be surprised. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: Doug Burks [mailto:doug.burks () gmail com] Sent: Tuesday, April 24, 2012 10:36 To: Corbin Fletcher Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Security onion, Snort, plus subnets? Hi Corbin, You should have one dedicated management interface (with an IP address) and one or more sniffing interfaces (without IP addresses) that receive traffic from your tap/span ports. You can configure the interfaces to be monitored in the Security Onion Setup wizard. If you choose Quick Setup, Security Onion will automatically monitor all ethernet interfaces. If you choose Advanced Setup, you'll be able to choose one or more interfaces to be monitored. If you have more questions specific to Security Onion, please feel free to use our Security Onion mailing list: http://groups.google.com/group/security-onion Thanks, Doug On Tue, Apr 24, 2012 at 11:30 AM, Corbin Fletcher <corbin () freeway com> wrote:
Hello All-- We have made some good progress...we now have installed Security Onion in a virtual environment, on our data center, and we have configured Snort. We are using Squert, Snorby, and Squil to monitor events as the occur. Our sensor appears to only be monitoring traffic on our private network (subnet), 10.10.xx.xxx This is also the subnet where our sensor lives. Our sensors IP address is 10.10.xx.xxx The next step is to configure our Snort sensor to monitor all traffic coming from our main switch (Cisco 2960G) e.g., monitor all traffic on our network. We will need to configure Snort to watch the SPAN port on our switch. Can anyone advise on how bets to achieve this goal- on the sensor side? Do we need to add a network in the Snort config file? I am lost at this point and any advice on Snort configuration is much appreciated. Is there another way to best and easily achieve our goal to monitor all traffic on our network with Snort? Another way to ask this question...how can I configure Snort to monitor all traffic throughout our small data center, which provides VoIP services, including private address (e.g., 10.10.xx.xxx) and other sub nets 66.113.xx.xxx At this point, Snort is monitoring on a small segment (subnet) on a large network; therefore, we are not receiving the full benefit of the data our Snort sensor is collecting. Thanks in advance...any information will be helpful. ~Corbin ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Doug Burks | http://securityonion.blogspot.com Don't miss SANS SEC503 Intrusion Detection In-Depth in Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members! http://augusta.issa.org/drupal/SANS-Augusta-2012 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Security onion, Snort, plus subnets? Corbin Fletcher (Apr 24)
- Re: Security onion, Snort, plus subnets? Doug Burks (Apr 24)
- Re: Security onion, Snort, plus subnets? Castle, Shane (Apr 24)
- Re: Security onion, Snort, plus subnets? Doug Burks (Apr 24)