Snort mailing list archives
Security Onion and a new VLan?
From: Corbin Fletcher <corbin () freeway com>
Date: Wed, 30 May 2012 10:08:20 -0700
Hello Snort Community, We are attempting to monitor a larger part of our total network traffic on Vlan 66.113.xx.xx we are running Security Onion (SO) in a production environment, using Proxmox for VM and utilizing Squil, and Snorby for analysis. We have added the Vlan bridge in Proxmox and 66.113.xx.xx has been added to our $HOME_NET. SO has an IP address of 10.10.xx.xxx on eth0 (which is not ideal) and the data collected from this Vlan is accurately reflected in Squil and Snorby. We see events from eth0 in Squil and Snorby, but nothing for eth1. And all data collected on eth0 is from the 10.10.xx.xxx Vlan exclusivity. When I run snort -i eth1 our sensor captures data from the 66.113.xx.xx Vlan, which is correct. Do I need to add a static IP address e.g., 66.113.xx.xx to eth1 to fix this issue? Is there some work I need to do in the config file? Our sensor is not monitoring Vlan 66.113.xx.xx. When I start Squil, I check the box eth0 and eth1, which are the network I want to monitor. No data from eth1 is showing in Snorby and Squil. Ifconfig eth1& eth0 eth1 Link encap:Ethernet HWaddr 96:23:88:bd:5a:6c inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:351806305 (351.8 MB) TX bytes:2826 (2.8 KB) Interrupt:11 Base address:0x6000 eth0 Link encap:Ethernet HWaddr 0a:60:90:b1:79:2f inet addr:10.10.xx.xx Bcast:10.10.xx.xxx Mask:255.255.255.0 inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0 TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:881258190 (881.2 MB) TX bytes:48699421 (48.6 MB) Interrupt:10 Base address:0xc000 Thanks in advance. Any guidance is much appreciated. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Security Onion and a new VLan? Corbin Fletcher (May 30)
- Re: Security Onion and a new VLan? Doug Burks (May 30)
- Re: Security Onion and a new VLan? Joel Esler (May 30)
- Re: Security Onion and a new VLan? Eoin Miller (May 30)
- Re: Security Onion and a new VLan? Naresh Narang (May 30)
- Re: Security Onion and a new VLan? Doug Burks (May 30)