[Snort-users] Can Snort monitor multiple VLANs from a single box?

Escudero, Peter Louis peterlouis.escudero at ...7950...
Thu Apr 7 08:28:51 EDT 2005


Thanks for the catch-all rule, Eric. Our problem is solved. I forgot
that in snort.conf some rules are disabled by default to account for
site policy & reduce false positives. Once we enabled all of them we
started getting alerts from the switches & the Windows servers. There
was nothing wrong with nmap or the switches after all :)

BTW, we've started using NeWT (Nessus for Windows Technology) v2.1, from
Tenable Security, to do our scanning. I think it's better than nmap, & I
can run it standalone from my laptop. It even tells me what to do if it
finds a security hole. Thanks again everyone for your help.

Peter Escudero

-----Original Message-----
From: Eric Maheo [mailto:eric.maheo at ...8860...] 
Sent: Wednesday, April 06, 2005 1:51 PM
To: Escudero, Peter Louis
Subject: RE: [Snort-users] Can Snort monitor multiple VLANs from a
single box?

On Wed, 2005-04-06 at 12:24 -0400, Escudero, Peter Louis wrote:
> Many thanks to all who gave advice. It now looks like the scanner tool

> we're using (nmap v3.81) might be the root cause of the problem.

Well what I will do is a rule for snort that can catch a lot of events,
kind of catch-all rule on a port...
like :

alert tcp any any -> any $HTTP_PORTS (msg:"test http";
classtype:attempted-admin; sid:3000000; rev:1;)

add this in your local.rules and add an entry (3000000 || test http) in
your sid-msg.map if you use barnyard and restart your agent.

This will capture all traffic on port 80.... so just let this rule a few
minutes or seconds...and you can monitor your snort log file with a tail
-f <file_name> 

I think but not sure tho... but it seems that you cannot scan your own
network and generate alerts with snort. I don't where but there are some
options for that in the preprocessor portscan, flow....
Anyway this rule will tell you for sure that your installation and
configuration with your snort is ok. Well I will also do a tcpdump -i
interface port 80  and if you see some traffic on your console well the
snort rule I gave you will log the same traffic.

Once it works fine you can investigate other part of your installation
to see why when you nmap it doesn't do what you expect...


I hope it helps.

-- 

Eric Maheo
Vice President of Engineering,

Applied Watch Technologies, LLC
1134 N. Main St.
Algonquin, IL 60102

Tel: (877) 262-7593 x324
Fax: (877) 262-7593

Email: eric.maheo at ...8860...
Web: http://www.appliedwatch.com


>  On one Cisco 2950 switch we used nmap to scan a bunch of Sun Solaris 
> boxes, & snort was able to capture the alerts & send them to the MySQL

> database on another box. But when we tried to scan the switch itself, 
> as well as its failover partner, snort didn't see anything. The other 
> Cisco 2950 switch that's being monitored by another snort instance is 
> also a 2950, but it only has a Cisco PIX, a switch & a Cisco CSS on it

> (no servers). Snort didn't see anything from that switch, either. The 
> Cisco GigE switch has several Windows servers on it, but again snort 
> didn't capture any alerts. So my question is, what options should we 
> use with nmap to simulate attacks on switches, firewalls, routers & 
> Windows boxes, so we can generate alerts that snort can capture? The 
> syntax we've been using is "nmap -v -A -T5 <targets>". On the 1st 
> switch above, we tried all the relevant options available, to no 
> avail.
>  
> 
> Peter Escudero
> 
> 
> ______________________________________________________________________
> 
> From: Basselgia, Barry A Mr (NAF Atsugi) 
> [mailto:BABasselgia at ...12104...]
> Sent: Tuesday, April 05, 2005 4:49 PM
> To: Peter Barton; Snort-users at lists.sourceforge.net; Escudero, Peter 
> Louis
> Subject: RE: [Snort-users] Can Snort monitor multiple VLANs?
> 
> 
> 
>         I think that it depend on how you have the monitoring/span
>         port on the Cisco switches configured.  If the port is
>         configured to send the traffic to the snort box, I don't know
>         why it wouldn't work.  If you try to monitor a GIG switch with
>         a 10/100 interface in your snort box, the switch is going to
>         start dropping packets when traffic gets to much for the
>         10/100 interface.
>          
>         I have a snort sensor running on a Dell Precision 340 with 6
>         network interfaces, 4 GIG and 2 10/100.  I'm running SuSE 9.1
>         and snort 2.3.2.  I have the 4 GIG interfaces bonded together
>         as bond0 and bond1, I'm using taps with these interfaces.  One
>         of the 10/100 ports is monitoring a Cisco switch, the other is
>         my management interface.
>          
>         I have an 3 instances of snort and barnyard running, 1
>         each for eth0, bond0, and bond1.  I'm using the same snort
>         config file and rules for all 3 instances.  The
>         startup/sysconfig scripts provided with snort 2.3.2 work
>         nicely for this.  Just copied the files to init.d and
>         sysconfig.  In the sysconfig/snort file I have INTERFACE="eth0
>         bond0 bond1".  The snortd script then starts 3 instances of
>         snort with no problem.  The unified log files end up in:
>          
>         /var/log/snort/eth0
>         /var/log/snort/bond0
>         /var/log/snort/bond1
>          
>         I then setup 3 barnyard config files, barnyard-eth0.conf,
>         barnyard-bond0.conf, and barnyard-bond1.conf to process the
>         unified logs into a mysql database on a different machine.  I
>         copied the snortd script to barnyardd and modified it to start
>         barnyard instead of snort.  Everything works pretty good.
>          
>         The whole trick to getting the above to work, is you have to
>         have enough memory in your snort box.  When I first set this
>         up, I was dropping a lot of packets, but I only had 256meg of
>         memory.  I upgraded to 512meg and the packet drop rate when
>         down.  I've got memory on order to take the system to 1gig, I
>         think that will really help. 
>          
>         Barry
>          
>                 -----Original Message-----
>                 From: snort-users-admin at lists.sourceforge.net
>                 [mailto:snort-users-admin at lists.sourceforge.net]On
>                 Behalf Of Peter Barton
>                 Sent: Wednesday, April 06, 2005 1:02 AM
>                 To: Snort-users at lists.sourceforge.net
>                 Subject: RE: [Snort-users] Can Snort monitor multiple
>                 VLANs?
>                 
>                 
>                 
>                 If you are having Snort log directly to MySql then the
>                 easiest way to do it is to have multiple instances of
>                 Snort running, one for each interface.
>                 
>                  
>                 
>                 My question to everyone is, what if you use Barnyard
>                 to write to MySql and have Snort just write to binary
>                 files.  I still have multiple instances of Snort
>                 running, but I can only seem to get one instance of
>                 Barnyard running.  Is there a trick to this or am I
>                 just going about this the wrong way?
>                 
>                  
>                 
>                 Thanks,
>                 
>                  
>                 
>                 Peter Barton
>                 
>                  
>                 
>                  
>                 
>                                            
>                 ______________________________________________________
>                 
>                 From: snort-users-admin at lists.sourceforge.net
>                 [mailto:snort-users-admin at lists.sourceforge.net] On
>                 Behalf Of Escudero, Peter Louis
>                 Sent: Tuesday, April 05, 2005 10:54 AM
>                 To: Snort-users at lists.sourceforge.net
>                 Subject: [Snort-users] Can Snort monitor multiple
>                 VLANs?
>                 
>                 
>                  
>                 
>                 Our IDS box is a Dell PE750 running SuSE Linux 9.1 Pro
>                 & snort v2.1.x, with a quad 10/100 NIC card. Three of
>                 the ports are hooked up to 3 different Cisco switches,
>                 representing 3 different VLANs. We're able to capture
>                 alerts from one switch, but not from the others. Is
>                 snort able to monitor different VLANs? Or do we need a
>                 separate IDS box for each VLAN? Any info you can
>                 provide will be greatly appreciated.
>                 
>                 
>                  
>                 
>                 
>                 Peter Escudero
>                 
>                 





More information about the Snort-users mailing list