We are trying to use this in a NIDS format.


Jim


On Wed, 2004-02-18 at 08:39, elemint@hotpop.com wrote:
> Basically we have snort listening on a trunk port and we thought that we
> needed a virtual interface for each network or each subnet. 
> 
> What we are working on is basically running snort on all subnets from
> one trunk port and then forward syslog messages to another server.  
> 
> 
> 
> 
> 
> Jim
> 
> 
> 
> 
> 
> 
> On Tue, 2004-02-17 at 22:37, Kevin Brown wrote:
> > elemint@hotpop.com wrote:
> > 
> > > We have a box setup with multiple virtual interfaces for purposes of
> > > multiple vlans and I want to send all syslog traffic or send all traffif
> > > out of a given interface.
> > > 
> > > Can I use the export command for this?  If not export how should I
> > > accomplish this?
> > 
> > I've played with snort quite a bit and don't quite understand what you want to 
> > do.  If the sniffer box is hooked up to a switch that has vlans and you make its 
> > port part of all those vlans then there is no need for the virtual interfaces. 
> > As for what interface it uses to communicate with a remote system, that is set 
> > by the kernel routing table, not by snort.  So if you really want to force 
> > packets going to a certain IP (or subnet) then you just setup a static route in 
> > the route table to control which interface it goes out as.
> > 
> > I could help more, but don't know if you are trying to do true NIDS (Network 
> > Intrusion Detection System) or running snort on a system as a kind of Network 
> > HIDS (Host Intrusion Detection System).  I had snort listening to a silent 
> > interface that was connected to a span port on a Cisco switch and a second 
> > interface that had only the ability to reach one subnet on the entire network 
> > (and only reachable from same subnet).
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change  you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss