Snort mailing list archives

Re: Snort IDS Monitoring a Proxy Server with Mode 4 Bonding

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 28 Feb 2014 14:44:12 -0700

On 2014-02-28 14:16, Turnbough, Bradley E. wrote:

Afternoon,

I'm having some difficulties implementing a snort solution for a
proxy server that is using linux mode 4 bonding.

Proxy Server port configuration:

GigabitEthernet 0/12     YES up         up          [SLAG-120] 
proxy01 (eth0)
GigabitEthernet 1/12     YES up         up          [SLAG-120] 
proxy01 (eth1)
Port-channel 120         YES up         up          [SLAG] proxy01

interface GigabitEthernet 0/12
 description [SLAG-120] proxy01 (eth0)
 no ip address
 mtu 9252
 no shutdown

interface GigabitEthernet 1/12
 description [SLAG-120] proxy01 (eth1)
 no ip address
 mtu 9252
 no shutdown

interface Port-channel 120
 description [SLAG] prox01
 no ip address
 mtu 9252
 switchport
 channel-member GigabitEthernet 0/12
 channel-member GigabitEthernet 1/12
 no shutdown

monitor session 0
 source GigabitEthernet 0/12 destination GigabitEthernet 1/40 
direction both
!
monitor session 1
 source GigabitEthernet 1/12 destination GigabitEthernet 1/39 
direction both

-----------------------------------------------------------
IDS SYSTEM PORT CONFIGURATION:
-----------------------------------------------------------
GigabitEthernet 1/39     YES up         up          [SPAN] ids01
(eth5) (src:gig1 /12)
GigabitEthernet 1/40     YES up         up          [SPAN] ids01
(eth4) (src:gig0 /12)

interface GigabitEthernet 1/39
 description [SPAN] ids01 (eth5) (src:gig1 /12)
 no ip address
 no shutdown

interface GigabitEthernet 1/40
 description [SPAN] ids01 (eth4) (src:gig0 /12)
 no ip address
 no shutdown


monitor session 0
 source GigabitEthernet 0/12 destination GigabitEthernet 1/40 
direction both
!
monitor session 1
 source GigabitEthernet 1/12 destination GigabitEthernet 1/39 
direction both


For some reason my IDS is not keeping track of http sessions as it
did when the proxy server was only one interface, so I took eth4 and
eth5 on the IDS box and I bridged them to br0.  I then set up snort 
to
monitor br0, but still no change in outcome.

Do I need to create a mode 4 bond on the ids side and sniff that?

What am I doing wrong here?  Surely I must be missing something.

Thanks,

Brad


daq may save the day:

snort -D --daq afpacket --daq-mode passive -i eth0:eth1

James


------------------------------------------------------------------------------
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis & security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort IDS Monitoring a Proxy Server with Mode 4 Bonding Turnbough, Bradley E. (Feb 28)
- Re: Snort IDS Monitoring a Proxy Server with Mode 4 Bonding James Lay (Feb 28)