[Snort-users] Snort and my VLANs

Y M snort at ...15979...
Thu Feb 14 17:07:54 EST 2013


In this case you would need to place sensors between vlans for vlan-to-vlan communication/detection since the traffic will not be reaching the edge WAN or router interface and Snort will not be seeing the traffic. However, if a BYOD is, for example, infected with a malware which may be attempting to communicate to an external IP, then it has to go through the edge router and hence get detected by Snort.

This is where a distributed sensors deployment architecture would come in handy. I would suggest starting with, if you have one, the servers vlan to monitor any suspicious activity going to your servers.

I hope my answer makes some sense.

YM
________________________________
From: Josh Bitto<mailto:jbitto at ...16055...>
Sent: ‎2/‎15/‎2013 12:57 AM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: [Snort-users] Snort and my VLANs

I'm having issues where I am not able to determine if I can actually catch bad traffic with snort.

Right now I have snort in a test lab where I have interfaces WAN, LAN....and then my VLANS. My firewall does all the routing and has the vlans setup. So when I go to testmyids.com and trigger a rule I get the rule triggered on my WAN interface but not any of my VLANs......

Basically what I'm trying to initiate is if a user brings in a byod...I want to be able to detect anything on that machine when it connects to my internal vlan.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130215/d56a0469/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
-------------- next part --------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list