[Snort-users] Snort and my VLANs

Ayodele Okeowo aymacro at ...11827...
Fri Feb 15 08:54:16 EST 2013


YM is right, you will need a distributed IDS to do this, however, what you
can do is, place your Sensor in a specific VLAN, and then assign that VLAN
to the egress interface of your Core switch or edge router before traffic
cross over to the Internet. This way you would be able to sense and drop
any packets.

And if you want to capture/sniff packets per VLAN, create a port mirroring
on a VLAN, then assign that VLAN to the interface where your IDS is plugged
to. All traffic will be mirrored to this interface so you can monitor them
on your IDS.

Are your devices Ciscos or Juniper or mixed environment?


On Thu, Feb 14, 2013 at 4:56 PM, Josh Bitto <jbitto at ...16055...> wrote:

> I’m having issues where I am not able to determine if I can actually catch
> bad traffic with snort.****
> ** **
> Right now I have snort in a test lab where I have interfaces WAN, LAN….and
> then my VLANS. My firewall does all the routing and has the vlans setup. So
> when I go to testmyids.com and trigger a rule I get the rule triggered on
> my WAN interface but not any of my VLANs……****
> ** **
> Basically what I’m trying to initiate is if a user brings in a byod…I want
> to be able to detect anything on that machine when it connects to my
> internal vlan.****
> ** **
> ****
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130215/a67c6ad9/attachment.html>

More information about the Snort-users mailing list