Snort mailing list archives
Re: Security Onion and a new VLan?
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 30 May 2012 15:36:30 -0400
I don't mind Security Onion related conversations on the Snort lists Doug. Especially when they are about Snort ;) J On May 30, 2012, at 2:20 PM, Doug Burks wrote:
Hi Corbin, It sounds like you're getting packets into eth1, but there are no processes running on that interface to sniff the traffic. When you ran Setup, did you specify that both eth0 and eth1 should be used for monitoring? Since this question is specific to Security Onion, we should probably continue this discussion on the Security Onion mailing list: http://groups.google.com/group/security-onion Thanks, Doug On Wed, May 30, 2012 at 1:08 PM, Corbin Fletcher <corbin () freeway com> wrote:Hello Snort Community, We are attempting to monitor a larger part of our total network traffic on Vlan 66.113.xx.xx we are running Security Onion (SO) in a production environment, using Proxmox for VM and utilizing Squil, and Snorby for analysis. We have added the Vlan bridge in Proxmox and 66.113.xx.xx has been added to our $HOME_NET. SO has an IP address of 10.10.xx.xxx on eth0 (which is not ideal) and the data collected from this Vlan is accurately reflected in Squil and Snorby. We see events from eth0 in Squil and Snorby, but nothing for eth1. And all data collected on eth0 is from the 10.10.xx.xxx Vlan exclusivity. When I run snort -i eth1 our sensor captures data from the 66.113.xx.xx Vlan, which is correct. Do I need to add a static IP address e.g., 66.113.xx.xx to eth1 to fix this issue? Is there some work I need to do in the config file? Our sensor is not monitoring Vlan 66.113.xx.xx. When I start Squil, I check the box eth0 and eth1, which are the network I want to monitor. No data from eth1 is showing in Snorby and Squil. Ifconfig eth1& eth0 eth1 Link encap:Ethernet HWaddr 96:23:88:bd:5a:6c inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:351806305 (351.8 MB) TX bytes:2826 (2.8 KB) Interrupt:11 Base address:0x6000 eth0 Link encap:Ethernet HWaddr 0a:60:90:b1:79:2f inet addr:10.10.xx.xx Bcast:10.10.xx.xxx Mask:255.255.255.0 inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0 TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:881258190 (881.2 MB) TX bytes:48699421 (48.6 MB) Interrupt:10 Base address:0xc000 Thanks in advance. Any guidance is much appreciated. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Doug Burks | http://securityonion.blogspot.com Don't miss SANS SEC503 Intrusion Detection In-Depth in Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members! http://augusta.issa.org/drupal/SANS-Augusta-2012 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Security Onion and a new VLan? Corbin Fletcher (May 30)
- Re: Security Onion and a new VLan? Doug Burks (May 30)
- Re: Security Onion and a new VLan? Joel Esler (May 30)
- Re: Security Onion and a new VLan? Eoin Miller (May 30)
- Re: Security Onion and a new VLan? Naresh Narang (May 30)
- Re: Security Onion and a new VLan? Doug Burks (May 30)