Re: Cannot get Snort listen on a second network interface (creating a gateway)

[Henry Collins <hcol1987 () gmail com>]

I will look into how I can configure this. My host is running in WMware and
it needs some special configuration.

However, is it not possible to achieve the same with just configuring
gateway on my management machine (the gateway (10.165.17.70) that accesses
another gateway (10.165.17.1))? So that packets coming in eth1 could be
inspected by Snort without spanning? If yes, do you know how?

On Mon, Feb 23, 2015 at 3:20 PM, Al Lewis (allewi) <allewi () cisco com> wrote:

>  The span should be done on your network switch.  Your switch will have
> to mirror the traffic to Snort. Snort only processes traffic sent to its
> interface.
>
>
>
> If you have removed the ip from eth1 you wont be able to route traffic
> through that interface.
>
>
>
> I think your best bet is to span traffic to eth1 and set snort to monitor
> there.
>
>
>
> Hope this helps.
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi () cisco com
>
>
>
> *From:* Henry Collins [mailto:hcol1987 () gmail com]
> *Sent:* Monday, February 23, 2015 9:10 AM
> *To:* Al Lewis (allewi)
> *Cc:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] Cannot get Snort listen on a second network
> interface (creating a gateway)
>
>
>
> I deleted IP address from eth1, but I still cannot see anything on my
> gateway. I used -i eth1 parameter. How do I make computers that try to use
> my gateway come through eth1 and reach external internet (outside the
> subnet) via eth0?
>
>
>
> My interfaces file looks like this now:
>
>
>
> # This file describes the network interfaces available on your system
>
> # and how to activate them. For more information, see interfaces(5).
>
>
>
> # The loopback network interface
>
> auto lo
>
> iface lo inet loopback
>
>
>
> # The primary network interface
>
> auto eth0
>
> iface eth0 inet static
>
> address 10.165.17.66
>
> gateway 10.165.17.1
>
> dns-nameservers 10.165.0.10 10.165.0.11
>
> netmask 255.255.255.0
>
> broadcast 10.165.17.255
>
>
>
> # The secondary network interface
>
> auto eth1
>
> iface eth1 inet static
>
> dns-nameservers 10.165.0.10 10.165.0.11
>
> netmask 255.255.255.0
>
> broadcast 10.165.17.255
>
>
>
> And ifconfig gives this output:
>
>
>
> eth0      Link encap:Ethernet  HWaddr 00:0c:29:83:e8:ff
>
>           inet addr:10.165.17.66  Bcast:10.165.17.255  Mask:255.255.255.0
>
>           inet6 addr: fe80::20c:29ff:fe83:e8ff/64 Scope:Link
>
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>
>           RX packets:695 errors:0 dropped:0 overruns:0 frame:0
>
>           TX packets:178 errors:0 dropped:0 overruns:0 carrier:0
>
>           collisions:0 txqueuelen:1000
>
>           RX bytes:54360 (54.3 KB)  TX bytes:28055 (28.0 KB)
>
>
>
> eth1      Link encap:Ethernet  HWaddr 00:0c:29:83:e8:09
>
>           inet6 addr: fe80::20c:29ff:fe83:e809/64 Scope:Link
>
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>
>           RX packets:232 errors:0 dropped:0 overruns:0 frame:0
>
>           TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
>
>           collisions:0 txqueuelen:1000
>
>           RX bytes:16781 (16.7 KB)  TX bytes:648 (648.0 B)
>
>
>
> lo        Link encap:Local Loopback
>
>           inet addr:127.0.0.1  Mask:255.0.0.0
>
>           inet6 addr: ::1/128 Scope:Host
>
>           UP LOOPBACK RUNNING  MTU:65536  Metric:1
>
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>
>           collisions:0 txqueuelen:0
>
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>
>
>
>
>
> > You may want to span traffic to the monitoring interface and put it into
> promiscuous mode so you can see all traffic on that subnet.
>
> How do i do that?
>
>
>
> I have changed ip addresses in my snort.conf:
>
> ipvar HOME_NET 10.165.17.0/24
>
> ipvar EXTERNAL_NET !$HOME_NET
>
>
>
> Because my subnet is 10.165.17.0 - 10.165.17.255
>
>
>
>
>
>
>
> On Mon, Feb 23, 2015 at 1:05 PM, Al Lewis (allewi) <allewi () cisco com>
> wrote:
>
> Hello Henry,
>
>
>
> Use “-i ” to set the monitoring interface. Some other uses with the daq
> are listed here: http://manual.snort.org/node7.html
>
>
>
> If you set an IP on that interface snort will only see the packets
> destined for that host.
>
>
>
> You may want to span traffic to the monitoring interface and put it into
> promiscuous mode so you can see all traffic on that subnet.
>
>
>
> Also… Hosts on your network wont use your gateway to access each other
> because based on your subnet mask/network number they are all in the
> *same* subnet. Once they ARP for the destination they will send the
> packets directly to the end point and not your machine. Hosts will only use
> a default gateway to get to networks they don’t know about (not within
> their current subnet).
>
>
>
>
>
> Hope this helps.
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi () cisco com
>
>
>
> *From:* Henry Collins [mailto:hcol1987 () gmail com]
> *Sent:* Monday, February 23, 2015 5:41 AM
> *To:* snort-users () lists sourceforge net
> *Subject:* [Snort-users] Cannot get Snort listen on a second network
> interface (creating a gateway)
>
>
>
> I have a small subnet that consists of several computers. I want these
> computers to configure in such a way that they would use my gateway to
> access each other and the external internet.
>
>
>
> There is already a gateway working in the subnet, but it doesn't have
> Snort installed. It's ip is 10.165.17.1
>
>
>
> I am working on creating another gateway that would use the upper gateway
> to serve computers in the subnet, but this gateway would receive packets
> from computers in the subnet. In this way, I want to instruct Snort to
> listen on for example eth1, which would be used for computers in the subnet
> and eth0 for communication with the subnet's gateway (10.165.17.1). How is
> it done?
>
>
>
> Here is a short overview of my network:
>
>
>
> Gateways:
>
> 10.165.17.1 (has access to external internet and computers in the subnet)
>
> 10.165.17.70 (is used by computers in the subnet as gateway and uses
> 10.165.17.1 as its gateway)
>
>
>
> Computers:
>
> 10.165.17.60 (gateway: 10.165.17.70)
>
> 10.165.17.61 (gateway: 10.165.17.70)
>
> and so on...
>
>
>
> This is my /etc/network/interfaces so far. However, eth1 doesn't get an
> IP. How do I fix this? I want to make Snort listen on eth1:
>
>
>
> # This file describes the network interfaces available on your system
>
> # and how to activate them. For more information, see interfaces(5).
>
>
>
> # The loopback network interface
>
> auto lo
>
> iface lo inet loopback
>
>
>
> # The primary network interface
>
> auto eth0
>
> iface eth0 inet static
>
> address 10.165.17.66
>
> gateway 10.165.17.1
>
> dns-nameservers 10.165.0.10 10.165.0.11
>
> netmask 255.255.255.0
>
> broadcast 10.165.17.255
>
>
>
> # The secondary network interface
>
> auto eth1
>
> iface eth1 inet static
>
> address 10.165.17.70
>
> gateway 10.165.17.1
>
> dns-nameservers 10.165.0.10 10.165.0.11
>
> netmask 255.255.255.0
>
> broadcast 10.165.17.255
>
>
>
> This is output from ifconfig:
>
>
>
> eth0      Link encap:Ethernet  HWaddr 00:0c:29:83:e8:ff
>
>           inet addr:10.165.17.66  Bcast:10.165.17.255  Mask:255.255.255.0
>
>           inet6 addr: fe80::20c:29ff:fe83:e8ff/64 Scope:Link
>
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>
>           RX packets:137 errors:0 dropped:21 overruns:0 frame:0
>
>           TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
>
>           collisions:0 txqueuelen:1000
>
>           RX bytes:16987 (16.9 KB)  TX bytes:928 (928.0 B)
>
>
>
> eth1      Link encap:Ethernet  HWaddr 00:0c:29:83:e8:09
>
>           inet6 addr: fe80::20c:29ff:fe83:e809/64 Scope:Link
>
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>
>           RX packets:92 errors:0 dropped:11 overruns:0 frame:0
>
>           TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
>
>           collisions:0 txqueuelen:1000
>
>           RX bytes:9675 (9.6 KB)  TX bytes:648 (648.0 B)
>
>
>
> lo        Link encap:Local Loopback
>
>           inet addr:127.0.0.1  Mask:255.0.0.0
>
>           inet6 addr: ::1/128 Scope:Host
>
>           UP LOOPBACK RUNNING  MTU:65536  Metric:1
>
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>
>           collisions:0 txqueuelen:0
>
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!