Snort mailing list archives
Re: Snort IDS Monitoring a Proxy Server with Mode 4 Bonding
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 28 Feb 2014 14:44:12 -0700
On 2014-02-28 14:16, Turnbough, Bradley E. wrote:
Afternoon, I'm having some difficulties implementing a snort solution for a proxy server that is using linux mode 4 bonding. Proxy Server port configuration: GigabitEthernet 0/12 YES up up [SLAG-120] proxy01 (eth0) GigabitEthernet 1/12 YES up up [SLAG-120] proxy01 (eth1) Port-channel 120 YES up up [SLAG] proxy01 interface GigabitEthernet 0/12 description [SLAG-120] proxy01 (eth0) no ip address mtu 9252 no shutdown interface GigabitEthernet 1/12 description [SLAG-120] proxy01 (eth1) no ip address mtu 9252 no shutdown interface Port-channel 120 description [SLAG] prox01 no ip address mtu 9252 switchport channel-member GigabitEthernet 0/12 channel-member GigabitEthernet 1/12 no shutdown monitor session 0 source GigabitEthernet 0/12 destination GigabitEthernet 1/40 direction both ! monitor session 1 source GigabitEthernet 1/12 destination GigabitEthernet 1/39 direction both ----------------------------------------------------------- IDS SYSTEM PORT CONFIGURATION: ----------------------------------------------------------- GigabitEthernet 1/39 YES up up [SPAN] ids01 (eth5) (src:gig1 /12) GigabitEthernet 1/40 YES up up [SPAN] ids01 (eth4) (src:gig0 /12) interface GigabitEthernet 1/39 description [SPAN] ids01 (eth5) (src:gig1 /12) no ip address no shutdown interface GigabitEthernet 1/40 description [SPAN] ids01 (eth4) (src:gig0 /12) no ip address no shutdown monitor session 0 source GigabitEthernet 0/12 destination GigabitEthernet 1/40 direction both ! monitor session 1 source GigabitEthernet 1/12 destination GigabitEthernet 1/39 direction both For some reason my IDS is not keeping track of http sessions as it did when the proxy server was only one interface, so I took eth4 and eth5 on the IDS box and I bridged them to br0. I then set up snort to monitor br0, but still no change in outcome. Do I need to create a mode 4 bond on the ids side and sniff that? What am I doing wrong here? Surely I must be missing something. Thanks, Brad
daq may save the day: snort -D --daq afpacket --daq-mode passive -i eth0:eth1 James ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort IDS Monitoring a Proxy Server with Mode 4 Bonding Turnbough, Bradley E. (Feb 28)
- Re: Snort IDS Monitoring a Proxy Server with Mode 4 Bonding James Lay (Feb 28)