Snort mailing list archives

Re: Security Onion and a new VLan?

From: Naresh Narang <nnarang () guardiananalytics com>
Date: Wed, 30 May 2012 12:17:53 -0700

On 5/30/2012 17:08, Corbin Fletcher wrote:

Ifconfig eth1& eth0

eth1   Link encap:Ethernet  HWaddr 96:23:88:bd:5a:6c
           inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
           TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:351806305 (351.8 MB)  TX bytes:2826 (2.8 KB)
           Interrupt:11 Base address:0x6000

eth0   Link encap:Ethernet  HWaddr 0a:60:90:b1:79:2f
           inet addr:10.10.xx.xx  Bcast:10.10.xx.xxx  Mask:255.255.255.0
           inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
           TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:881258190 (881.2 MB)  TX bytes:48699421 (48.6 MB)
           Interrupt:10 Base address:0xc000

Thanks in advance. Any guidance is much appreciated.



I think you need to setup your VLAN interface within the OS so you can monitor that VLAN. I've ran into this before and 
just monitoring the raw physical device actually won't let you see the VLAN tagged packets IIRC.
Once you add the VLAN interface of say eth0.15 (if you wanted to monitor VLAN #15) you can then also bond that 
interface along with whatever other interfaces you want to monitor and point Snort to bond0. That should get you where 
you need to go, even if it is a big of a kludge.



Setting up a SPAN port on the switch in trunk mode and sending VLAN data to it will capture VLAN tags.

--Naresh


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Security Onion and a new VLan? Corbin Fletcher (May 30)
- Re: Security Onion and a new VLan? Doug Burks (May 30)
  - Re: Security Onion and a new VLan? Joel Esler (May 30)
- Re: Security Onion and a new VLan? Eoin Miller (May 30)
  - Re: Security Onion and a new VLan? Naresh Narang (May 30)