virtual interfaces and snort; export

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
Mplug-discuss@lists.plug.phoenix.az.us at <-
M 
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: plug-discuss@lists.plug.phoenix.az.us
Date:  
Subject: virtual interfaces and snort; export
We are trying to use this in a NIDS format.


Jim


On Wed, 2004-02-18 at 08:39, wrote:
> Basically we have snort listening on a trunk port and we thought that we
> needed a virtual interface for each network or each subnet.
>
> What we are working on is basically running snort on all subnets from
> one trunk port and then forward syslog messages to another server.
>
>
>
>
>
> Jim
>
>
>
>
>
>
> On Tue, 2004-02-17 at 22:37, Kevin Brown wrote:
> > wrote:
> >
> > > We have a box setup with multiple virtual interfaces for purposes of
> > > multiple vlans and I want to send all syslog traffic or send all traffif
> > > out of a given interface.
> > >
> > > Can I use the export command for this? If not export how should I
> > > accomplish this?
> >
> > I've played with snort quite a bit and don't quite understand what you want to
> > do. If the sniffer box is hooked up to a switch that has vlans and you make its
> > port part of all those vlans then there is no need for the virtual interfaces.
> > As for what interface it uses to communicate with a remote system, that is set
> > by the kernel routing table, not by snort. So if you really want to force
> > packets going to a certain IP (or subnet) then you just setup a static route in
> > the route table to control which interface it goes out as.
> >
> > I could help more, but don't know if you are trying to do true NIDS (Network
> > Intrusion Detection System) or running snort on a system as a kind of Network
> > HIDS (Host Intrusion Detection System). I had snort listening to a silent
> > interface that was connected to a span port on a Cisco switch and a second
> > interface that had only the ability to reach one subnet on the entire network
> > (and only reachable from same subnet).
> > ---------------------------------------------------
> > PLUG-discuss mailing list -
> > To subscribe, unsubscribe, or to change you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-virtual interfaces and snort; exportOT: DSL options->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)