Snort mailing list archives
Re: Security Onion and a new VLan?
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Wed, 30 May 2012 18:45:13 +0000
On 5/30/2012 17:08, Corbin Fletcher wrote:
Ifconfig eth1& eth0 eth1 Link encap:Ethernet HWaddr 96:23:88:bd:5a:6c inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:351806305 (351.8 MB) TX bytes:2826 (2.8 KB) Interrupt:11 Base address:0x6000 eth0 Link encap:Ethernet HWaddr 0a:60:90:b1:79:2f inet addr:10.10.xx.xx Bcast:10.10.xx.xxx Mask:255.255.255.0 inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0 TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:881258190 (881.2 MB) TX bytes:48699421 (48.6 MB) Interrupt:10 Base address:0xc000 Thanks in advance. Any guidance is much appreciated.
I think you need to setup your VLAN interface within the OS so you can monitor that VLAN. I've ran into this before and just monitoring the raw physical device actually won't let you see the VLAN tagged packets IIRC. Once you add the VLAN interface of say eth0.15 (if you wanted to monitor VLAN #15) you can then also bond that interface along with whatever other interfaces you want to monitor and point Snort to bond0. That should get you where you need to go, even if it is a big of a kludge. -- Eoin ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Security Onion and a new VLan? Corbin Fletcher (May 30)
- Re: Security Onion and a new VLan? Doug Burks (May 30)
- Re: Security Onion and a new VLan? Joel Esler (May 30)
- Re: Security Onion and a new VLan? Eoin Miller (May 30)
- Re: Security Onion and a new VLan? Naresh Narang (May 30)
- Re: Security Onion and a new VLan? Doug Burks (May 30)