virtual interfaces and snort; export

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: plug-discuss@lists.plug.phoenix.az.us
Date:  
Subject: virtual interfaces and snort; export
Basically we have snort listening on a trunk port and we thought that we
needed a virtual interface for each network or each subnet.

What we are working on is basically running snort on all subnets from
one trunk port and then forward syslog messages to another server.





Jim






On Tue, 2004-02-17 at 22:37, Kevin Brown wrote:
> wrote:
>
> > We have a box setup with multiple virtual interfaces for purposes of
> > multiple vlans and I want to send all syslog traffic or send all traffif
> > out of a given interface.
> >
> > Can I use the export command for this? If not export how should I
> > accomplish this?
>
> I've played with snort quite a bit and don't quite understand what you want to
> do. If the sniffer box is hooked up to a switch that has vlans and you make its
> port part of all those vlans then there is no need for the virtual interfaces.
> As for what interface it uses to communicate with a remote system, that is set
> by the kernel routing table, not by snort. So if you really want to force
> packets going to a certain IP (or subnet) then you just setup a static route in
> the route table to control which interface it goes out as.
>
> I could help more, but don't know if you are trying to do true NIDS (Network
> Intrusion Detection System) or running snort on a system as a kind of Network
> HIDS (Host Intrusion Detection System). I had snort listening to a silent
> interface that was connected to a span port on a Cisco switch and a second
> interface that had only the ability to reach one subnet on the entire network
> (and only reachable from same subnet).
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss