Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Sniffing Bonded Ports (Linux, mode=4)

From: "Turnbough, Bradley E." <bturnbough () belcan com>
Date: Fri, 14 Mar 2014 16:12:13 +0000
I have a proxy server with two network ports.  Both ports are part of a Linux mode 4 bond on the proxy itself.

On the switch side, I have the ports configured as part of a channel group.

I am mirroring both ports individually as I cannot mirror the channel-group itself.

On the IDS side, I have tried at least three different approaches:

1) Sniff each port individually using separate snort processes.  Further thought led me to believe that the snort 
processes were only catching 50% of the session traffic so this was ruled out as an option.

2) Sniff each port using "--daq afpacket --daq-mode passive -i eth4:eth5", however no alerts are generated.  Not sure 
why this doesn't work.

3) Create a "mode=4" bond on the ids sensor with the mirrored proxy ports as members.  Sniff the bond "bond0" using one 
snort process.  No alerts have been generated this method.

Has anyone ever successfully sniffed mode=4 groups / interfaces?  What am I doing wrong?

Brad
_____________________________________________________________ This e-mail transmission contains information that is 
confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in 
error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, 
copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately 
by informing the sender that the message was misdirected. After replying, please erase it from your computer system. 
Your assistance in correcting this error is appreciated.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: