Snort only for VIP?



  • Hi,
    I was wondering if it was possible to only monitor VIP rather then the the whole WAN?

    As I have users navigating on the WAN, and the VIP is the email server, website, VOIP

    Thank you



  • BUMP?



  • Bump? Is this even possible Snort to monitor a virtual IP?

    Thank you


  • Moderator

    @killmasta93:

    Bump? Is this even possible Snort to monitor a virtual IP?

    Thank you

    Yes… Typically the VIP is assigned to an existing Interface... So Snort/Suricata can monitor that interface.



  • Thanks for the reply, as you say snort monitors the VIP but the issue is that snort would also be monitoring the WAN, as in my case i have users navigate on the WAN lets say its 181.143.xx.1 and the VIP is 181.143.xx.2. which the VIP would have the NAT of email ports, sip ports, etc. which i would only want snort to monitor that IP while the WAN i would rather not because i would get so many false alarms when users navigate, even though i had a large suppress list.

    Thank you



  • I'm sure repeating yourself gets very annoying but for me and other potential helpers could you clarify a bit more? To me it sounds like you just want it to monitor a specific interface that isn't WAN since you got too much traffic happening there.

    I do the same as I only have Snort on my server network as that's the only public interface, or am I missing the entire point here?



  • Thanks for the reply, so what im trying to accomplish is to use snort to only listen to the VIP ip but it seems that snort only listens to interfaces rather then IPs, as the VIP is connected to WAN it makes things a tad bit harder, currently what i have is 5 Static IP which my lSP gives one of those IPs is the VIP ip which is open to the world such as email server ports, FTP, website ports, etc. and one of those IPs is the WAN which all users navigate with. The issue on running snort on the WAN it gives way to many false alert, i know that there is a suppress list which i tried but it just a pain, or unless i run the rules of smtp,imap,pop, and ftp but then if i want to run rules of HTTP its going to be a hassle with the users.

    Thank you





Log in to reply