[Snort-users] Security Onion and a new VLan?

Corbin Fletcher corbin at ...15596...
Wed May 30 13:08:20 EDT 2012


Hello Snort Community,

We are attempting to monitor a larger part of our total network traffic 
on Vlan 66.113.xx.xx we are running Security Onion (SO) in a production 
environment, using Proxmox for VM and utilizing  Squil, and Snorby for 
analysis. We have added the Vlan bridge in Proxmox and 66.113.xx.xx has 
been added to our $HOME_NET.

SO has an IP address of 10.10.xx.xxx on eth0 (which is not ideal) and 
the data collected from this Vlan is accurately reflected in Squil and 
Snorby. We see events from eth0 in Squil and Snorby, but nothing for 
eth1. And all data collected on eth0 is from the 10.10.xx.xxx Vlan 
exclusivity.

When I run snort -i eth1 our sensor captures data from the 66.113.xx.xx 
Vlan, which is correct.

Do I need to add a static IP address e.g., 66.113.xx.xx to eth1 to fix 
this issue?

Is there some work I need to do in the config file?

Our sensor is not monitoring Vlan 66.113.xx.xx.

When I start Squil, I check the box eth0 and eth1, which are the network 
I want to monitor. No data from eth1 is showing in Snorby and Squil.

Ifconfig eth1& eth0

eth1   Link encap:Ethernet  HWaddr 96:23:88:bd:5a:6c
           inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
           TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:351806305 (351.8 MB)  TX bytes:2826 (2.8 KB)
           Interrupt:11 Base address:0x6000

eth0   Link encap:Ethernet  HWaddr 0a:60:90:b1:79:2f
           inet addr:10.10.xx.xx  Bcast:10.10.xx.xxx  Mask:255.255.255.0
           inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
           TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:881258190 (881.2 MB)  TX bytes:48699421 (48.6 MB)
           Interrupt:10 Base address:0xc000

Thanks in advance. Any guidance is much appreciated.





More information about the Snort-users mailing list