Clicky


I am new to Snort, I followed the instructions on this url:  https://wwwx.cs.unc.edu/~hays/archives/work/index.php
All went well, Snort is running well and I am having many Snort alerts in the BASE and terminal.

Snort 2.8.4.1 and Barnyard2 in Ubuntu 9.10 is running on My Accer box with dual core Intel CPU @1.86 GHZ, 80G HD.

There is only one 10/100 NIC on my Accer box, so monitoring and management
 are on the same interface. Snort is monitoring only one VLAN (VLAN1) at moment.

Now I would like to use Snort to monitor multiple VLANs, e.g. VLAN 1, VLAN 20 etc, so I converted my Accer-Ubuntu-Snort box into a VM in our ESX4.0 environment, I created two additional NICs on the VM, now there are three  NICs;:NIC1 is for management on VLAN1, NIC2 is for monitoring on VLAN1, and NIC3 is for monitoring on VLAN20.

After lots of “Google”, I have found the following post from Barry (in 2005) is really relevant to my case:
http://seclists.org/snort/2005/q2/60

I have got the idea, but it’s still hard for me to follow the actual “HOW TO” steps. I  don’t expect anyone to do “baby-sitter” on Snort, despite Barry did a very good “case study”, but I would like to have some extra info regarding the files, locations, what, how etc (just like the first url link above from Bil) for the Snort dummy like me.

I would like to have the followings:
1.) How to setup the management interface separately from the monitoring interface?
2.) How to setup two instances of Snort and Barnyard to monitor two VLANs on one VM?

* Network ports (for ESX 4.0 machines) on switch are configured in the followings:
•      hybrid link type
•      with VLAN 1, VLAN 20 tagged, and
•      the hybrid PVID is VLAN20.

Any information and help would be much appreciated.

Many thanks in advance.

Regards

John

asked 04/07/2010 03:18

mbsadmin1's gravatar image

mbsadmin1 ♦♦


4 Answers:

I believe for this you have two options, both of which start by trunking all VLANs from your switch to the physical NIC. Then:

1. Create one port group per VLAN, and one vNIC per VLAN, assigning all vNICs to your VM. Then get your app to monitor traffic on all NICs which are assigned to it.

2. Create a single port group with VLAN tag 4095 (with one vNIC assigned to the VM), which effectively allows all ports through on that vNIC, like trunking. You then configure everything on the VM in the same way you would on a physical server.

link

answered

jkagalbraith's gravatar image

jkagalbraith

to jkagalbraith: Thanks for the info, it's much appreciated. I am still not sure how to port span (mirroring) would work on a VM enviroment.

Please give me a bit more details of "How" and "procedures" .

Many thanks in advance.

regards

John

link

answered 2010-04-08 at 07:46:50

mbsadmin1's gravatar image

mbsadmin1

The answer for this question is the following:

Use Distributed Virtual switch on our ESX 4.1 enviroment, which makes inline IPS/ IDS become possible in a virtual enviroment.
link

answered 2010-05-04 at 23:28:16

mbsadmin1's gravatar image

mbsadmin1

This is the key ponit to ISP/IPS in virtual enviroment.

link

answered 2011-11-15 at 17:56:37

mbsadmin1's gravatar image

mbsadmin1

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×6
×10

Asked: 04/07/2010 03:18

Seen: 167 times

Last updated: 11/19/2011 05:19