[Snort-users] Can Snort monitor multiple VLANs from a single box?

Escudero, Peter Louis peterlouis.escudero at ...7950...
Tue Apr 5 12:15:56 EDT 2005


Thanks, it's the same file in SuSE. So do I say INTERFACE="eth1 eth2
eth3" or INTERFACE="eth1, eth2, eth3"? Are you also saying that I don't
need to have a separate IDS box for each VLAN, that snort can sniff on
multiple VLANs from a single box?


Peter Escudero

-----Original Message-----
From: Robert Bilbrey [mailto:rbilbrey at ...13244...] 
Sent: Tuesday, April 05, 2005 10:40 AM
To: Escudero, Peter Louis
Subject: Re: [Snort-users] Can Snort monitor multiple VLANs?

I don't know about Suse, but on RHEL3 you define the interfaces you want
  snort to listen on in /etc/sysconfig/snort.
Edit the line:
INTERFACE="eth1" to include the interfaces to listen on. The init script
  will use this to launch the appropriate number of instances of snortd
listening on the interfaces listed.
bb

Escudero, Peter Louis wrote:
> 
> Thanks for the input, Peter. Sorry I can't help you with Barnyard. One

> of the Cisco switches we can't capture alerts from is GigE. Does that 
> matter? The Dell PE750 has 2 onboard GigE NICs. Should we hook up one 
> of them to the Cisco GigE switch then, & have snort sniff on that 
> interface? We, too, have multiple instances of snort running. Please 
> advise. Thanks again.
>  
> 
> Peter Escudero
> 
> *From:* snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] *On Behalf Of *Peter 
> Barton
> *Sent:* Tuesday, April 05, 2005 9:02 AM
> *To:* Snort-users at lists.sourceforge.net
> *Subject:* RE: [Snort-users] Can Snort monitor multiple VLANs?
> 
>     If you are having Snort log directly to MySql then the easiest way
>     to do it is to have multiple instances of Snort running, one for
>     each interface.
> 
>      
> 
>     My question to everyone is, what if you use Barnyard to write to
>     MySql and have Snort just write to binary files.  I still have
>     multiple instances of Snort running, but I can only seem to get
one
>     instance of Barnyard running.  Is there a trick to this or am I
just
>     going about this the wrong way?
> 
>      
> 
>     Thanks,
> 
>      
> 
>     Peter Barton
> 
>      
> 
>      
> 
>     * From: * snort-users-admin at lists.sourceforge.net
>     [mailto:snort-users-admin at lists.sourceforge.net] *On Behalf Of
>     *Escudero, Peter Louis
>     *Sent:* Tuesday, April 05, 2005 10:54 AM
>     *To:* Snort-users at lists.sourceforge.net
>     *Subject:* [Snort-users] Can Snort monitor multiple VLANs?
> 
>      
> 
>     Our IDS box is a Dell PE750 running SuSE Linux 9.1 Pro & snort
>     v2.1.x, with a quad 10/100 NIC card. Three of the ports are hooked
>     up to 3 different Cisco switches, representing 3 different VLANs.
>     We're able to capture alerts from one switch, but not from the
>     others. Is snort able to monitor different VLANs? Or do we need a
>     separate IDS box for each VLAN? Any info you can provide will be
>     greatly appreciated.
> 
>      
> 
>     Peter Escudero
> 




More information about the Snort-users mailing list