[Snort-users] SNORT and VLans
Martin Jr., D. Michael
martinm at ...10218...
Thu Feb 26 15:16:02 EST 2004
What you are describing is exactly the way we are configured. We
monitor all traffic (internal and external) on all 80+ vlans using one
Snort box. Luckily, our network topology has everything coming back to
one single core switch (Catalyst 4006) so we just setup monitoring of
all ports back to a single port for the Snort IDS. The syntax of our
commands are as follows:
monitor session 1 source interface Gi1/1 - 2
monitor session 1 source interface Gi3/1 - 6
monitor session 1 source interface Gi4/1 - 6
monitor session 1 source interface Fa5/1 - 26 , Fa5/28 - 48
monitor session 1 source interface Fa6/1 - 48
monitor session 1 destination interface Fa5/27
This setup has been a godsend for us in helping to locate possible
infected machines. One problem with our installation of Snort (as I am
afraid any IDS would have to some degree) is the "false positives" we
sometimes get. You can automate all you want but you will always need a
human being to sort through the data.
Hope this helps,
University of Montevallo
From: Puetz, Christoph [mailto:christoph.puetz at ...9283...]
Sent: Thursday, February 26, 2004 12:11 PM
To: 'snort-users at ...314...'
Subject: [Snort-users] SNORT and VLans
We're looking into the option of putting a NIDS system into place. We're
not just interested in seeing what is coming from the outside, but we
also want to monitor our VLans for unusual activity (e.g. virus
outbreaks, infected machines sending out SPAM or broadcasting the
payload via RPC buffer overflows and all that 'good' stuff).
Is SNORT an option for us at all? What would be the approach if I want
to monitor about 10 VLans and the uplink to the Internet? Do I just
throw 10 clients/sensors out to cover each VLan that report back to the
main box? Or would I need 10 additional ports on my Cisco switches (1
for each VLan)? Or is one bastion host on the uplink capable to give me
the information I need from every VLan? I noticed in the archives that
some information is being stripped off when VLans are involved.
Thanks for your feedback.
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users