Snort mailing list archives
Sniffing Bonded Ports (Linux, mode=4)
From: "Turnbough, Bradley E." <bturnbough () belcan com>
Date: Fri, 14 Mar 2014 16:12:13 +0000
I have a proxy server with two network ports. Both ports are part of a Linux mode 4 bond on the proxy itself. On the switch side, I have the ports configured as part of a channel group. I am mirroring both ports individually as I cannot mirror the channel-group itself. On the IDS side, I have tried at least three different approaches: 1) Sniff each port individually using separate snort processes. Further thought led me to believe that the snort processes were only catching 50% of the session traffic so this was ruled out as an option. 2) Sniff each port using "--daq afpacket --daq-mode passive -i eth4:eth5", however no alerts are generated. Not sure why this doesn't work. 3) Create a "mode=4" bond on the ids sensor with the mirrored proxy ports as members. Sniff the bond "bond0" using one snort process. No alerts have been generated this method. Has anyone ever successfully sniffed mode=4 groups / interfaces? What am I doing wrong? Brad _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Sniffing Bonded Ports (Linux, mode=4) Turnbough, Bradley E. (Mar 14)