Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can Snort monitor multiple VLANs on a VM?

From: elof () sentor se
Date: Fri, 9 Apr 2010 16:46:55 +0200 (CEST)

I don't really follow your description, but...
If your sniffer NIC receive VLAN-tagged (802.1q) packets, verify if one unique TCP session use two separate VLANs. 

Like: tcpdump -evnli eht0 -s0 -c30    <-- do NOT add any bpf filter
If you see a SYN from A to B tagged with VLAN 1 and the SYN+ACK response from B to A tagged with VLAN 2, then snort won't create alerts since the state can't be determined (and usually all rules use flow: established). 

This is a common problem with SPAN in HP switches.
However, if both SYN and SYN+ACK are tagged with the same VLAN, snort should be able to handle the traffic. Make sure you don't use any bpf filter though! Like if you run snort with the filter "ip and not esp", then you won't match a single VLAN packet (then you need 'vlan and ip and not esp'). 

/Elof



On Fri, 9 Apr 2010, Jun Wan wrote:

In my physical Accer machine, all I did was to mirror the network traffic form the uplink fiber port (source) to the 
port (destination) the Accer box is connected to (these two ports are on the same switch).

Is this the question you asked me? ---- port mirroring configuration on switch?

I don't know what to configure on switches for my VM's case, this is because of all 3 NICs on my VM are virtual NICs, 
which are not really relevant to any physical ports on the switches.

Please see more details of ESX enviroment and how ESX machines are connected to our cores.

If we can't configure ports to monitor those vlans on a VM, then Snort wouldn't be able to monitor in a VM environment. 
Is that right? Any information and help would be much appreciated.

Thanks again.

Regards

John

----------------------------------------

Subject: RE: [Snort-users] Can Snort monitor multiple VLANs on a VM?
Date: Thu, 8 Apr 2010 16:15:36 -0500
From: Kirby.Boteler () waggonereng com
To: junwei_wan () hotmail com

Have you configured your switch port to monitor those vlans?

Kirby Boteler | Director of Information Technology
Waggoner Engineering, Inc. | 143-A LeFleurs Square | Jackson, MS 39211
office: (601) 355-9526 | ÿÿ fax: (601) 352-3945 | kirby.boteler () waggonereng com


-----Original Message-----
From: Jun Wan [mailto:junwei_wan () hotmail com]
Sent: Thursday, April 08, 2010 1:13 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Can Snort monitor multiple VLANs on a VM?


Hi,

I am new to Snort, I followed the instructions on this url: https://wwwx.cs.unc.edu/~hays/archives/work/index.php

All went well, Snort is running well and I am having many Snort alerts in the BASE and terminal.

Snort 2.8.4.1 and Barnyard2 in Ubuntu 9.10 is running on My Accer box with dual core Intel CPU @1.86 GHZ, 80G HD.

There is only one 10/100 NIC on my Accer box, so monitoring and management
are on the same interface. Snort is monitoring only one VLAN (VLAN1) at moment.

Now I would like to use Snort to monitor multiple VLANs, e.g. VLAN 1, VLAN 20 etc, so I converted my Accer-Ubuntu-Snort 
box into a VM in our ESX4.0 environment, I created two additional NICs on the VM, now there are three NICs;:NIC1 is for 
management on VLAN1, NIC2 is for monitoring on VLAN1, and NIC3 is for monitoring on VLAN20.

After lots of ÿÿGoogleÿÿ, I have found the following post from Barry (in 2005) is really relevant to my case:

http://seclists.org/snort/2005/q2/60


I have got the idea, but itÿÿs still hard for me to follow the actual ÿÿHOW TOÿÿ steps. I donÿÿt expect anyone to do 
ÿÿbaby-sitterÿÿ on Snort, despite Barry did a very good ÿÿcase studyÿÿ, but I would like to have some extra info 
regarding the files, locations, what, how etc (just like the first url link above from Bil) for the Snort dummy like me.

I would like to have the followings:
1.) How to setup the management interface separately from the monitoring interface?
2.) How to setup two instances of Snort and Barnyard to monitor two VLANs on one VM?

* Network ports (for ESX 4.0 machines) on switch are configured in the followings:

hybrid link type
with VLAN 1, VLAN 20 tagged, and
the hybrid PVID is VLAN20.

Any information and help would be much appreciated.

Many thanks in advance.

Regards

John

_________________________________________________________________
Need a new place to live? Find it on Domain.com.au
http://clk.atdmt.com/NMN/go/157631292/direct/01/
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
View photos of singles in your area! Browse profiles for FREE
http://clk.atdmt.com/NMN/go/150855801/direct/01/
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: