SNORT and VLans

["Puetz, Christoph" <christoph.puetz () thomson com>]

Hello,
 
We're looking into the option of putting a NIDS system into place. We're not
just interested in seeing what is coming from the outside, but we also want
to monitor our VLans for unusual activity (e.g. virus outbreaks, infected
machines sending out SPAM or broadcasting the payload via RPC buffer
overflows and all that 'good' stuff). 
 
Is SNORT an option for us at all? What would be the approach if I want to
monitor about 10 VLans and the uplink to the Internet? Do I just throw 10
clients/sensors out to cover each VLan that report back to the main box? Or
would I need 10 additional ports on my Cisco switches (1 for each VLan)? Or
is one bastion host on the uplink capable to give me the information I need
from every VLan? I noticed in the archives that some information is being
stripped off when VLans are involved.
 
Thanks for your feedback.
 
Chris


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________