Snort mailing list archives
Snort IDS Monitoring a Proxy Server with Mode 4 Bonding
From: "Turnbough, Bradley E." <bturnbough () belcan com>
Date: Fri, 28 Feb 2014 21:16:58 +0000
Afternoon, I'm having some difficulties implementing a snort solution for a proxy server that is using linux mode 4 bonding. Proxy Server port configuration: GigabitEthernet 0/12 YES up up [SLAG-120] proxy01 (eth0) GigabitEthernet 1/12 YES up up [SLAG-120] proxy01 (eth1) Port-channel 120 YES up up [SLAG] proxy01 interface GigabitEthernet 0/12 description [SLAG-120] proxy01 (eth0) no ip address mtu 9252 no shutdown interface GigabitEthernet 1/12 description [SLAG-120] proxy01 (eth1) no ip address mtu 9252 no shutdown interface Port-channel 120 description [SLAG] prox01 no ip address mtu 9252 switchport channel-member GigabitEthernet 0/12 channel-member GigabitEthernet 1/12 no shutdown monitor session 0 source GigabitEthernet 0/12 destination GigabitEthernet 1/40 direction both ! monitor session 1 source GigabitEthernet 1/12 destination GigabitEthernet 1/39 direction both ----------------------------------------------------------- IDS SYSTEM PORT CONFIGURATION: ----------------------------------------------------------- GigabitEthernet 1/39 YES up up [SPAN] ids01 (eth5) (src:gig1 /12) GigabitEthernet 1/40 YES up up [SPAN] ids01 (eth4) (src:gig0 /12) interface GigabitEthernet 1/39 description [SPAN] ids01 (eth5) (src:gig1 /12) no ip address no shutdown interface GigabitEthernet 1/40 description [SPAN] ids01 (eth4) (src:gig0 /12) no ip address no shutdown monitor session 0 source GigabitEthernet 0/12 destination GigabitEthernet 1/40 direction both ! monitor session 1 source GigabitEthernet 1/12 destination GigabitEthernet 1/39 direction both For some reason my IDS is not keeping track of http sessions as it did when the proxy server was only one interface, so I took eth4 and eth5 on the IDS box and I bridged them to br0. I then set up snort to monitor br0, but still no change in outcome. Do I need to create a mode 4 bond on the ids side and sniff that? What am I doing wrong here? Surely I must be missing something. Thanks, Brad _____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ------------------------------------------------------------------------------ Flow-based real-time traffic analytics software. Cisco certified tool. Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer Customize your own dashboards, set traffic alerts and generate reports. Network behavioral analysis & security monitoring. All-in-one tool. http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort IDS Monitoring a Proxy Server with Mode 4 Bonding Turnbough, Bradley E. (Feb 28)
- Re: Snort IDS Monitoring a Proxy Server with Mode 4 Bonding James Lay (Feb 28)