Re: arpwatch and snort help
From: prg (rdgentry1_at_cablelynx.com)
Date: 12/20/04
- Next message: Hue-Bond: "Re: run ethereal as root"
- Previous message: /dev/null: "Re: Port "triggering""
- In reply to: Jason Benway: "arpwatch and snort help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 20 Dec 2004 13:46:38 -0800
Jason Benway wrote:
> I setup my first linux box last week.
Just in time for the holidays ;-)
> Its running Fedora core 3.
>
> When I set it up I only had 1 NIC. it is on our main subnet.
>
> I installed a second NIC and I was able to get it working. I've setup
the
> second nic on a mirroreds switch port so it can see traffice on 4 of
our
> VLANS (each VLAN is on a different subnet)
>
> I would like to setup arpwatch to only use the second NIC and for it
to
> alert me to traffic on all VLANs.
> I've seen the -n switch for arpwatch, but how do I use that when
arpwatch is
> running as a service?
>
> How do I use the -n switch when the subnets are not together
(example:
> 10.0.0.1,192.168.1.1,192.168.42.1)
>
> I would also like to setup snort to only listen on the second NIC
>
> Thank you
> jb
Much will depend on the switch and its OS as to whether you can monitor
multiple vlans simultaneously. What kind of switch and OS are using?
Do you think that arpwatch -n will _allow_ you to monitor multiple
subnet IPs of different classes/widths? That is not my understanding
-- I've never needed to use the switch. I always assumed it was to
_restrict_ and _assure_ that arpwatch was monitoring only one subnet --
ie., don't distract me with bogons and martians -- or was monitoring
subnets of equal width (prefix length) in a (more or less) contiguous
range of address space. But I could easily be wrong ;-)
As far as snort and vlan monitoring are concerned, again I think it
will largely depend on your switch and network topology. Set up
monitoring at point(s) of traffic concentration.
This is all pretty much off the top of my head from playing with vlans
prior to a failed roll-out a few years back -- ie., a prototype "lab"
setup.
Also you may want/need to get on a mailing list more specific to your
hardware and software tools. http://www.tcpdump.org/lists/ might be
one to start with -- suspect folks there familiar with arpwatch as
well. Also:
http://www.mcabee.org/lists/snort-users/
http://www.ethereal.com/lists/
http://www.cisco.com/warp/public/473/41.html
basic setup for Cisco SPAN (swited port analyzer)
hth,
prg
email above disabled
- Next message: Hue-Bond: "Re: run ethereal as root"
- Previous message: /dev/null: "Re: Port "triggering""
- In reply to: Jason Benway: "arpwatch and snort help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
