Snort IDS Monitoring a Proxy Server with Mode 4 Bonding

["Turnbough, Bradley E." <bturnbough () belcan com>]

Afternoon,

I'm having some difficulties implementing a snort solution for a proxy server that is using linux mode 4 bonding.

Proxy Server port configuration:

GigabitEthernet 0/12     YES up         up          [SLAG-120] proxy01 (eth0)
GigabitEthernet 1/12     YES up         up          [SLAG-120] proxy01 (eth1)
Port-channel 120         YES up         up          [SLAG] proxy01

interface GigabitEthernet 0/12
 description [SLAG-120] proxy01 (eth0)
 no ip address
 mtu 9252
 no shutdown

interface GigabitEthernet 1/12
 description [SLAG-120] proxy01 (eth1)
 no ip address
 mtu 9252
 no shutdown

interface Port-channel 120
 description [SLAG] prox01
 no ip address
 mtu 9252
 switchport
 channel-member GigabitEthernet 0/12
 channel-member GigabitEthernet 1/12
 no shutdown

monitor session 0
 source GigabitEthernet 0/12 destination GigabitEthernet 1/40 direction both
!
monitor session 1
 source GigabitEthernet 1/12 destination GigabitEthernet 1/39 direction both

-----------------------------------------------------------
IDS SYSTEM PORT CONFIGURATION:
-----------------------------------------------------------
GigabitEthernet 1/39     YES up         up          [SPAN] ids01 (eth5) (src:gig1 /12)
GigabitEthernet 1/40     YES up         up          [SPAN] ids01 (eth4) (src:gig0 /12)

interface GigabitEthernet 1/39
 description [SPAN] ids01 (eth5) (src:gig1 /12)
 no ip address
 no shutdown

interface GigabitEthernet 1/40
 description [SPAN] ids01 (eth4) (src:gig0 /12)
 no ip address
 no shutdown


monitor session 0
 source GigabitEthernet 0/12 destination GigabitEthernet 1/40 direction both
!
monitor session 1
 source GigabitEthernet 1/12 destination GigabitEthernet 1/39 direction both


For some reason my IDS is not keeping track of http sessions as it did when the proxy server was only one interface, so 
I took eth4 and eth5 on the IDS box and I bridged them to br0.  I then set up snort to monitor br0, but still no change 
in outcome.

Do I need to create a mode 4 bond on the ids side and sniff that?

What am I doing wrong here?  Surely I must be missing something.

Thanks,

Brad

_____________________________________________________________ This e-mail transmission contains information that is 
confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in 
error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, 
copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately 
by informing the sender that the message was misdirected. After replying, please erase it from your computer system. 
Your assistance in correcting this error is appreciated.

------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!