Snort mailing list archives
Re: Snort multiple sensor configuration
From: "Stephen Reese" <rsreese () gmail com>
Date: Fri, 10 Oct 2008 14:57:56 -0400
So are all the networks that talk to the internet going to be crossing your sniffing interface that you have behind the firewall? If so, then what is the sense in having the inside interface also watch traffic going out to the internet. Have your third interface set up as your HOME_NET = your internal network, and your EXTERNAL_NET = $HOME_NET. So basically you are watching network to network traffic. Not Network to internet, since you already have an interface to do that. That way you aren't duplicating alerts. Joel
Internet *should* not come into the main network from the branch networks. The main network 172.31.1.0, as well as the branches 172.31.2-5.0 have there own access via DSL connections. I would like to mainly watch network to network traffic. So HOME_NET = 172.31.1-5.0/24, and EXTERNAL_NET = $HOME_NET would cover this? What if something does infiltrate the network not on one of these subnets and crosses into the main network? Would it appear? Lastly some of the servers and one of the branches access internet through a MPLS connection that connect to a COLO, is there a efficient way to monitor remote traffic at the border such as this or does another snort box need to monitor this traffic? ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort multiple sensor configuration Stephen Reese (Oct 08)
- Re: Snort multiple sensor configuration Jack Pepper (Oct 09)
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Message not available
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Message not available
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Re: Snort multiple sensor configuration Joel Esler (Oct 10)
- Re: Snort multiple sensor configuration Stephen Reese (Oct 10)
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Re: Snort multiple sensor configuration Jack Pepper (Oct 09)
- Re: Snort multiple sensor configuration Matt Olney (Oct 09)
- Re: Snort multiple sensor configuration Jack Pepper (Oct 09)
- Re: Snort multiple sensor configuration Stephen Reese (Oct 09)
- Re: Snort multiple sensor configuration Matt Olney (Oct 09)