Re: Wireless IDS monitoring using Snort

[Jeremy Hoel <jthoel () gmail com>]

This is true.. and you can tune those alerts out,  remove things you
know are FP.  But if he wanted to see his wifi traffic, and his wifi
is on the router, then it's the only real option without doing more
hardware.

The other side of that is you also get a much better idea of whats
really out there, if you are doing it for testing or learning.

On Tue, Oct 16, 2012 at 8:45 PM, Jefferson, Shawn
<Shawn.Jefferson () bcferries com> wrote:
> Putting snort outside your firewall/router will quickly fill up your snort database with tons of alerts.  That might 
> not be what you want (or maybe it is?)
>
> -----Original Message-----
> From: Jeremy Hoel [mailto:jthoel () gmail com]
> Sent: Tuesday, October 16, 2012 12:56 PM
> To: Chuck DiRaimondi
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Wireless IDS monitoring using Snort
>
> Well if you just wanted to monitor traffic from wires/wireless <-> outside then span the port that the outside 
> connects on.  If you want to watch traffic to/from wired to wireless then you span that port also.  It depends on 
> what you want to watch specifically.
>
> So in your case, if your router is also the wifi, then no, you won't see that traffic.  If you go:
>
> Cable modem <-> switch <-> router/wifi <-> computers
>
> and then just have the span port on the switch on either the cable modem port or the router port, and you will see 
> all the traffic.
>
>
>
>
> On Tue, Oct 16, 2012 at 6:41 PM, Chuck DiRaimondi <charlesd81 () gmail com> wrote:
> > Stupid question and maybe I'm not thinking properly with regards to my
> > home network and lab topology...Can Snort be used to monitor both a
> > wired and wireless home network? In setting up my lab, I was going to
> > place a Netgear switch after my home router and use port mirroring to
> > capture all the traffic. So it would go cable modem, router, one cable
> > from router to switch, then each machine running off the switch, with
> > the sensor being on a port that is mirroring traffic. I'm assuming
> > then that all traffic going wirelessly out would be missed because it
> > is skipping the switch where the sensor is altogether. Am I right? Are
> > there any ways to configure a home network to use Snort to monitor both wired and wireless traffic?
> >
> >
> > ----------------------------------------------------------------------
> > -------- Don't let slow site performance ruin your business. Deploy
> > New Relic APM Deploy New Relic app performance management and know
> > exactly what is happening inside your Ruby, Python, PHP, Java, and
> > .NET app Try New Relic at no cost today and get our sweet Data Nerd
> > shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management 
> and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today 
> and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!