[Snort-users] Snort multiple sensor configuration

Stephen Reese rsreese at ...11827...
Fri Oct 10 14:57:56 EDT 2008


> So are all the networks that talk to the internet going to be crossing your
> sniffing interface that you have behind the firewall?
>
> If so, then what is the sense in having the inside interface also watch
> traffic going out to the internet.
>
> Have your third interface set up as your HOME_NET = your internal network,
> and your EXTERNAL_NET = $HOME_NET.
>
> So basically you are watching network to network traffic.  Not Network to
> internet, since you already have an interface to do that.
>
> That way you aren't duplicating alerts.
>
> Joel

Internet *should* not come into the main network from the branch
networks. The main network 172.31.1.0, as well as the branches
172.31.2-5.0 have there own access via DSL connections. I would like
to mainly watch network to network traffic.

So HOME_NET = 172.31.1-5.0/24, and EXTERNAL_NET = $HOME_NET would
cover this? What if something does infiltrate the network not on one
of these subnets and crosses into the main network? Would it appear?

Lastly some of the servers and one of the branches access internet
through a MPLS connection that connect to a COLO, is there a efficient
way to monitor remote traffic at the border such as this or does
another snort box need to monitor this traffic?




More information about the Snort-users mailing list