Home page logo

snort logo Snort mailing list archives

Re: Monitoring Multiple Subnets
From: "Seth Dunn" <seth () d2ms com>
Date: Mon, 13 May 2013 11:16:37 -0400

For what I did....I don't have quite the same setup as you, but I needed
to monitor multiple LANs.
10.75.x.x/24 and 10.76.x.x/24

I am using a Cisco switch for my networks.
I set up SPAN on my switch, RSPAN is also available, to copy traffic
from two ports in which inbound/outbound traffic flows for these
LANs.....and set up the destination port for the port that my Snort box
is listening on.


Then as someone noted, in your snort.conf file you need to make sure
these two networks are part of your $HOME variable.


From: Shaun Marlin [mailto:shaun.marlin () canalta com] 
Sent: Monday, May 13, 2013 11:04 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Monitoring Multiple Subnets


I am building a SNORT box to monitor my network.  I have 2 ISP's.  Is it
possible to have the 2 ISP's connect into an unmanaged switch, then have
SNORT configured with an IP from each block that I have, and finally
pass the traffic back onto the switch that goes into my network?


Sorry for the run on question there


Essentially I am looking for something like this





  ISP 1

Router 1
Internal Network




  ISP 2
Router 2





                                Unmanaged Switch



SNORT would endup monitoring 3 different subnets.  For instance and


Does anyone see a reason why this would not work


Shaun Marlin
Network Administrator

Canalta Family of Companies

2109 - 545 Highway 10 East 
Drumheller AB Canada T0J 0Y0
PHONE: (403) 820-3865
CELL:     (403) 334-1313  

EMAIL:   shaun.marlin () canalta com
WEB:      www.canalta.com




Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]