[Snort-users] Snort and my VLANs

Josh Bitto jbitto at ...16055...
Thu Feb 14 17:29:45 EST 2013


Let me lay it all out for you….Ok so I setup a test network not my actual production network.

PFsense=Firewall
Interface-> VLAN27= 192.168.127.1/24
IP range within that vlan is 192.168.127.10-20 ( I don’t need a broad test spectrum so 10 ip’s should be fine for what I’m doing)

Interface-> VLAN26= 192.168.126.1/24
IP range within that vlan is 192.168.126.10-20
Interface-> LAN= 192.168.125.1/24
IP range within that vlan is 192.168.125.10-20

Interface-> WAN IP is actually from dhcp so it is assigned an IP from production network….the above are static.

I get all kinds of alerts from WAN so I know it is working correctly. I need to be able to test and see if my VLANs will show up anything….Users that BYOD would be on a specific VLAN so isolation is key. I can’t allow bridges between my WAN and LAN or VLANs.

Any suggestions?

I tried to understand your answer, but need more clarity.


From: Y M [mailto:snort at ...15979...]
Sent: Thursday, February 14, 2013 2:08 PM
To: Josh Bitto; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Snort and my VLANs

In this case you would need to place sensors between vlans for vlan-to-vlan communication/detection since the traffic will not be reaching the edge WAN or router interface and Snort will not be seeing the traffic. However, if a BYOD is, for example, infected with a malware which may be attempting to communicate to an external IP, then it has to go through the edge router and hence get detected by Snort.

This is where a distributed sensors deployment architecture would come in handy. I would suggest starting with, if you have one, the servers vlan to monitor any suspicious activity going to your servers.

I hope my answer makes some sense.

YM
________________________________
From: Josh Bitto<mailto:jbitto at ...16055...>
Sent: ‎2/‎15/‎2013 12:57 AM
To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: [Snort-users] Snort and my VLANs

I’m having issues where I am not able to determine if I can actually catch bad traffic with snort.



Right now I have snort in a test lab where I have interfaces WAN, LAN….and then my VLANS. My firewall does all the routing and has the vlans setup. So when I go to testmyids.com and trigger a rule I get the rule triggered on my WAN interface but not any of my VLANs……



Basically what I’m trying to initiate is if a user brings in a byod…I want to be able to detect anything on that machine when it connects to my internal vlan.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130214/d39fa192/attachment.html>


More information about the Snort-users mailing list