Snort mailing list archives
Re: Multi-sensor setup
From: "Scott Elgram" <SElgram () VerifPoint com>
Date: Wed, 22 Jul 2009 12:13:20 -0700
Ideally I was thinking of attaching one interface just before my firewall on the internet side and the other just after the firewall on the internal network side. I'd like to be able to view both the traffic that is attempting to get through the firewall on both sides and by comparison see what traffic is making it through. I'm relatively new to snort so I'm not entirely sure if this is even a logical setup but I figured it was worth a try. -Scott -----Original Message----- From: Richard Bejtlich [mailto:taosecurity () gmail com] Sent: Wednesday, July 22, 2009 12:07 PM To: SElgram () verifpoint com; snort-users () lists sourceforge net Subject: Re: [Snort-users] Multi-sensor setup Hello, What do you expect to have xl0 and xl1 monitor? Richard On 7/22/09, Scott Elgram <SElgram () verifpoint com> wrote:
Hello,
I have recently completed a Snort install on FreeBSD but I'm
unable to get it to do what I would like. I have 3 interface cards
installed (fxp0, xl0, xl1) and my plan is to set up fxp0 with an IP
address
for BASE and leave the other two as Snort sensors without IP addresses in "promisc -arp" mode. If I set snort_interface to either xl0 or xl1 Snort runs perfectly fine
for
the assigned interface but not at all for the unassigned interface, obviously. After some digging I found some posts that stated I could accomplish my goal by bridging the two interfaces, which I have done with the following in my rc.conf file: ---------------------------------- cloned_interfaces="bridge0" ifconfig_bridge0="addm xl0 addm xl1 up" ifconfig_xl0="up promisc -arp" ifconfig_xl1="up promisc -arp" ---------------------------------- However, this still does not log consistent data for the two networks.
With
snort_interface set to xl0, I ping through the network connected to xl0
and
I get all the data, if I ping through the network connected to xl1 I only get two entries and then nothing after that.ever. I get the same result with snort_interface set to bridge0. Additionally, the 2 entries I do get from pinging through the xl1 network are logged as sensor xl0. Am I missing something, is this something snort can do? Thanks, -Scott
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Richard Bejtlich (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Joel Esler (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Chris Jacob (Jul 22)
- Re: Multi-sensor setup Jack Pepper (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Joel Esler (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Milo Velimirovic (Jul 22)
- Re: Multi-sensor setup Scott Elgram (Jul 22)
- Re: Multi-sensor setup Joel Esler (Jul 22)
- Re: Multi-sensor setup William Young (Jul 24)
- Re: Multi-sensor setup Richard Bejtlich (Jul 22)