[Snort-users] Can Snort monitor multiple VLANs on a VM?

Jun Wan junwei_wan at ...125...
Thu Apr 8 02:13:02 EDT 2010


Hi, 
 
I am new to Snort, I followed the instructions on this url:  https://wwwx.cs.unc.edu/~hays/archives/work/index.php 
 
All went well, Snort is running well and I am having many Snort alerts in the BASE and terminal.
 
Snort 2.8.4.1 and Barnyard2 in Ubuntu 9.10 is running on My Accer box with dual core Intel CPU @1.86 GHZ, 80G HD.
 
There is only one 10/100 NIC on my Accer box, so monitoring and management
 are on the same interface. Snort is monitoring only one VLAN (VLAN1) at moment.
 
Now I would like to use Snort to monitor multiple VLANs, e.g. VLAN 1, VLAN 20 etc, so I converted my Accer-Ubuntu-Snort box into a VM in our ESX4.0 environment, I created two additional NICs on the VM, now there are three  NICs;:NIC1 is for management on VLAN1, NIC2 is for monitoring on VLAN1, and NIC3 is for monitoring on VLAN20.
 
After lots of “Google”, I have found the following post from Barry (in 2005) is really relevant to my case:

http://seclists.org/snort/2005/q2/60

 
I have got the idea, but it’s still hard for me to follow the actual “HOW TO” steps. I  don’t expect anyone to do “baby-sitter” on Snort, despite Barry did a very good “case study”, but I would like to have some extra info regarding the files, locations, what, how etc (just like the first url link above from Bil) for the Snort dummy like me. 
 
I would like to have the followings:
1.) How to setup the management interface separately from the monitoring interface?
2.) How to setup two instances of Snort and Barnyard to monitor two VLANs on one VM?
 
* Network ports (for ESX 4.0 machines) on switch are configured in the followings:

hybrid link type
with VLAN 1, VLAN 20 tagged, and
the hybrid PVID is VLAN20. 
 
Any information and help would be much appreciated.
 
Many thanks in advance.
 
Regards
 
John
  		 	   		  
_________________________________________________________________
Need a new place to live? Find it on Domain.com.au
http://clk.atdmt.com/NMN/go/157631292/direct/01/



More information about the Snort-users mailing list