Re: Multi-sensor setup

[Richard Bejtlich <taosecurity () gmail com>]

Hello,

What do you expect to have xl0 and xl1 monitor?

Richard

On 7/22/09, Scott Elgram <SElgram () verifpoint com> wrote:
> Hello,
>
>             I have recently completed a Snort install on FreeBSD but I'm
> unable to get it to do what I would like.  I have 3 interface cards
> installed (fxp0, xl0, xl1) and my plan is to set up fxp0 with an IP address
> for BASE and leave the other two as Snort sensors without IP addresses in
> "promisc -arp" mode.
>
> If I set snort_interface to either xl0 or xl1 Snort runs perfectly fine for
> the assigned interface but not at all for the unassigned interface,
> obviously.  After some digging I found some posts that stated I could
> accomplish my goal by bridging the two interfaces, which I have done with
> the following in my rc.conf file:
>
> ----------------------------------
>
> cloned_interfaces="bridge0"
>
> ifconfig_bridge0="addm xl0 addm xl1 up"
>
> ifconfig_xl0="up promisc -arp"
>
> ifconfig_xl1="up promisc -arp"
>
> ----------------------------------
>
>
>
> However, this still does not log consistent data for the two networks.  With
> snort_interface set to xl0, I ping through the network connected to xl0 and
> I get all the data, if I ping through the network connected to xl1 I only
> get two entries and then nothing after that.ever.  I get the same result
> with snort_interface set to bridge0.  Additionally, the 2 entries I do get
> from pinging through the xl1 network are logged as sensor xl0.
>
>
>
> Am I missing something, is this something snort can do?
>
>
>
> Thanks,
>
> -Scott

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users