[Snort-users] SNORT and VLans

twig les twigles at ...131...
Thu Feb 26 13:26:08 EST 2004


--- "Puetz, Christoph" <christoph.puetz at ...9283...> wrote:
> Hello,
>  
> We're looking into the option of putting a NIDS system into
> place. We're not
> just interested in seeing what is coming from the outside, but
> we also want
> to monitor our VLans for unusual activity (e.g. virus
> outbreaks, infected
> machines sending out SPAM or broadcasting the payload via RPC
> buffer
> overflows and all that 'good' stuff). 
>  
> Is SNORT an option for us at all? What would be the approach
> if I want to
> monitor about 10 VLans and the uplink to the Internet? Do I
> just throw 10
> clients/sensors out to cover each VLan that report back to the
> main box? Or
> would I need 10 additional ports on my Cisco switches (1 for
> each VLan)? Or
> is one bastion host on the uplink capable to give me the
> information I need
> from every VLan? I noticed in the archives that some
> information is being
> stripped off when VLans are involved.
>  

Your requirements will depend on your Cisco switch.  The older
(2-4 years) 35xx and 29xx switches can only monitor one vlan per
monitoring session, so if you have 3 vlans each running 5 megs
of traffic you could prolly get away with one snort box with
multiple NICs.  Bigger/newer Cisco switches (6500s, 3550s) can
monitor multiple vlans, all outputing to one physical port so a
nice NIC will do it (might need to go gig).  Unfortunately the
syntax and details have changed several times, if I didn't
already drink it might drive me to.

If you just watch the link to the internet you won't see local
attacks, like when MS boxes blast (pun!) each other with the
latest worm, or maybe something less automated.

One option is putting in 2-3 snort boxes with multiple
interfaces, each interface having a snort process attached to it
that is tuned for that network.  So a box might have 2 snort
processes that have 1.1.1.0/25 as the HOME_NET on interface fxp0
and then 1.1.1.128/25 as the HOME_NET on interface fxp1.  (fxp
is FreeBSD-speak, you might have eth0/1)

=====
-----------------------------------------------------------
With a few exceptions, secrecy is deeply incompatible with
democracy and with science.
     --Carl Sagan  
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Get better spam protection with Yahoo! Mail.
http://antispam.yahoo.com/tools




More information about the Snort-users mailing list