Snort mailing list archives

Re: Security Onion and a new VLan?

From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Wed, 30 May 2012 18:45:13 +0000

On 5/30/2012 17:08, Corbin Fletcher wrote:

Ifconfig eth1& eth0

eth1   Link encap:Ethernet  HWaddr 96:23:88:bd:5a:6c
           inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
           TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:351806305 (351.8 MB)  TX bytes:2826 (2.8 KB)
           Interrupt:11 Base address:0x6000

eth0   Link encap:Ethernet  HWaddr 0a:60:90:b1:79:2f
           inet addr:10.10.xx.xx  Bcast:10.10.xx.xxx  Mask:255.255.255.0
           inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
           TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:881258190 (881.2 MB)  TX bytes:48699421 (48.6 MB)
           Interrupt:10 Base address:0xc000

Thanks in advance. Any guidance is much appreciated.



I think you need to setup your VLAN interface within the OS so you can
monitor that VLAN. I've ran into this before and just monitoring the raw
physical device actually won't let you see the VLAN tagged packets IIRC.
Once you add the VLAN interface of say eth0.15 (if you wanted to monitor
VLAN #15) you can then also bond that interface along with whatever
other interfaces you want to monitor and point Snort to bond0. That
should get you where you need to go, even if it is a big of a kludge.

-- Eoin


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Security Onion and a new VLan? Corbin Fletcher (May 30)
- Re: Security Onion and a new VLan? Doug Burks (May 30)
  - Re: Security Onion and a new VLan? Joel Esler (May 30)
- Re: Security Onion and a new VLan? Eoin Miller (May 30)
  - Re: Security Onion and a new VLan? Naresh Narang (May 30)