Can snort be configured for a single interface or VLAN?



  • Right now I have snort running on the WAN interface looking at all incoming traffic but I am really only worried about a few internal interfaces. Is there a way to configure this?



  • Simply add the interface you need to monitor.
    I only monitor LAN interfaces, no need to look at WAN since firewall blocks any inbound and unsolicited traffic, the only inbound traffic is via VPN.



  • So that will monitor any incoming traffic to that subnet?



  • @TyMac:

    So that will monitor any incoming traffic to that subnet?

    …and outgoing from that subnet.  If you have NAT enabled, you will actually find running Snort (or Suricata) on the LAN and other interfaces beneficial.  This is because on the WAN, with NAT, all traffic appears to originate from and go to your WAN IP.  Not useful when trying to track down a LAN client that is alerting.  With Snort on the LAN, all the logged alerts will have the LAN IPs in the alerts.

    Bill



  • Well I'm trying to eliminate any security measures from a certain lan due to bitching about the rules blocking stuff… so adding snort to the wan will probably cause more issues and they are not willing to troubleshoot.


Log in to reply