Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort monitoring multiple vlans

From: Michael Dengler <michael.dengler () gmail com>
Date: Fri, 30 Nov 2012 16:40:16 -0600
Hi,

I'm new to snort and have a questions regarding snort on multiple vlans.

System details:

snort 2.9.3.1
CentOS 5.8

eth0:
Stub interface for vlans

eth0.10
ip address 192.168.0.20

eth0.11
ip address 192.168.10.20

eth0.12
ip address 192.168.20.20

eth0.13
ip address 192.168.30.20

Currently I have snort running with:

snort -c /etc/snort/snort.conf -D -p -i eth0.10

With snort.conf:

# Path to rules
var RULE_PATH /etc/snort/rules
# Syslog Settings
output alert_syslog: LOG_LOCAL5 LOG_ALERT
# Rules to load
include $RULE_PATH/unicast.rules

And unicast.rules:

# Alert on TCP traffic
alert tcp any any -> 192.168.0.20 any (sid:300;)
# Alert on UDP traffic
alert udp any any -> 192.168.0.20 any (sid:400;)
# Alert on ICMP traffic
alert icmp any any -> 192.168.0.20 any (sid:500;)

My question is:

How do I get snort to listen on the other vlan interfaces for traffic
hitting their associated IP address?

I have read in the manual that this can be achieved by using "config
binding: <path_to_snort.conf> vlan <vlanIdList>", however I can't seem to
find much more info on the proper usage of this feature..ie:

What interface do I use when I start snort? (the -i argument)
Do settings defined in the default snort.conf (-c /etc/snort/snort.conf)
flow down to the non-default .conf or do I need to re-define them in the
non-default?

Any help is greatly appreciated.

M

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
TUNE You got it built. Now make it sing. Tune shows you how.
http://goparallel.sourceforge.net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: