Snort mailing list archives

Re: Security Onion and a new VLan?

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 30 May 2012 15:36:30 -0400

I don't mind Security Onion related conversations on the Snort lists Doug.  Especially when they are about Snort ;)

J

On May 30, 2012, at 2:20 PM, Doug Burks wrote:

Hi Corbin,

It sounds like you're getting packets into eth1, but there are no
processes running on that interface to sniff the traffic.  When you
ran Setup, did you specify that both eth0 and eth1 should be used for
monitoring?

Since this question is specific to Security Onion, we should probably
continue this discussion on the Security Onion mailing list:
http://groups.google.com/group/security-onion

Thanks,
Doug

On Wed, May 30, 2012 at 1:08 PM, Corbin Fletcher <corbin () freeway com> wrote:

Hello Snort Community,

We are attempting to monitor a larger part of our total network traffic
on Vlan 66.113.xx.xx we are running Security Onion (SO) in a production
environment, using Proxmox for VM and utilizing  Squil, and Snorby for
analysis. We have added the Vlan bridge in Proxmox and 66.113.xx.xx has
been added to our $HOME_NET.

SO has an IP address of 10.10.xx.xxx on eth0 (which is not ideal) and
the data collected from this Vlan is accurately reflected in Squil and
Snorby. We see events from eth0 in Squil and Snorby, but nothing for
eth1. And all data collected on eth0 is from the 10.10.xx.xxx Vlan
exclusivity.

When I run snort -i eth1 our sensor captures data from the 66.113.xx.xx
Vlan, which is correct.

Do I need to add a static IP address e.g., 66.113.xx.xx to eth1 to fix
this issue?

Is there some work I need to do in the config file?

Our sensor is not monitoring Vlan 66.113.xx.xx.

When I start Squil, I check the box eth0 and eth1, which are the network
I want to monitor. No data from eth1 is showing in Snorby and Squil.

Ifconfig eth1& eth0

eth1   Link encap:Ethernet  HWaddr 96:23:88:bd:5a:6c
          inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:351806305 (351.8 MB)  TX bytes:2826 (2.8 KB)
          Interrupt:11 Base address:0x6000

eth0   Link encap:Ethernet  HWaddr 0a:60:90:b1:79:2f
          inet addr:10.10.xx.xx  Bcast:10.10.xx.xxx  Mask:255.255.255.0
          inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
          TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:881258190 (881.2 MB)  TX bytes:48699421 (48.6 MB)
          Interrupt:10 Base address:0xc000

Thanks in advance. Any guidance is much appreciated.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




-- 
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Security Onion and a new VLan? Corbin Fletcher (May 30)
- Re: Security Onion and a new VLan? Doug Burks (May 30)
  - Re: Security Onion and a new VLan? Joel Esler (May 30)
- Re: Security Onion and a new VLan? Eoin Miller (May 30)
  - Re: Security Onion and a new VLan? Naresh Narang (May 30)