[Snort-users] Security Onion and a new VLan?

Doug Burks doug.burks at ...11827...
Wed May 30 14:20:52 EDT 2012


Hi Corbin,

It sounds like you're getting packets into eth1, but there are no
processes running on that interface to sniff the traffic.  When you
ran Setup, did you specify that both eth0 and eth1 should be used for
monitoring?

Since this question is specific to Security Onion, we should probably
continue this discussion on the Security Onion mailing list:
http://groups.google.com/group/security-onion

Thanks,
Doug

On Wed, May 30, 2012 at 1:08 PM, Corbin Fletcher <corbin at ...15596...> wrote:
> Hello Snort Community,
>
> We are attempting to monitor a larger part of our total network traffic
> on Vlan 66.113.xx.xx we are running Security Onion (SO) in a production
> environment, using Proxmox for VM and utilizing  Squil, and Snorby for
> analysis. We have added the Vlan bridge in Proxmox and 66.113.xx.xx has
> been added to our $HOME_NET.
>
> SO has an IP address of 10.10.xx.xxx on eth0 (which is not ideal) and
> the data collected from this Vlan is accurately reflected in Squil and
> Snorby. We see events from eth0 in Squil and Snorby, but nothing for
> eth1. And all data collected on eth0 is from the 10.10.xx.xxx Vlan
> exclusivity.
>
> When I run snort -i eth1 our sensor captures data from the 66.113.xx.xx
> Vlan, which is correct.
>
> Do I need to add a static IP address e.g., 66.113.xx.xx to eth1 to fix
> this issue?
>
> Is there some work I need to do in the config file?
>
> Our sensor is not monitoring Vlan 66.113.xx.xx.
>
> When I start Squil, I check the box eth0 and eth1, which are the network
> I want to monitor. No data from eth1 is showing in Snorby and Squil.
>
> Ifconfig eth1& eth0
>
> eth1   Link encap:Ethernet  HWaddr 96:23:88:bd:5a:6c
>           inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:351806305 (351.8 MB)  TX bytes:2826 (2.8 KB)
>           Interrupt:11 Base address:0x6000
>
> eth0   Link encap:Ethernet  HWaddr 0a:60:90:b1:79:2f
>           inet addr:10.10.xx.xx  Bcast:10.10.xx.xxx  Mask:255.255.255.0
>           inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
>           TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:881258190 (881.2 MB)  TX bytes:48699421 (48.6 MB)
>           Interrupt:10 Base address:0xc000
>
> Thanks in advance. Any guidance is much appreciated.
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012




More information about the Snort-users mailing list