[Snort-users] Security Onion and a new VLan?

Eoin Miller eoin.miller at ...14586...
Wed May 30 14:45:13 EDT 2012


On 5/30/2012 17:08, Corbin Fletcher wrote:
> Ifconfig eth1& eth0
> 
> eth1   Link encap:Ethernet  HWaddr 96:23:88:bd:5a:6c
>            inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>            RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1000
>            RX bytes:351806305 (351.8 MB)  TX bytes:2826 (2.8 KB)
>            Interrupt:11 Base address:0x6000
> 
> eth0   Link encap:Ethernet  HWaddr 0a:60:90:b1:79:2f
>            inet addr:10.10.xx.xx  Bcast:10.10.xx.xxx  Mask:255.255.255.0
>            inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>            RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
>            TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1000
>            RX bytes:881258190 (881.2 MB)  TX bytes:48699421 (48.6 MB)
>            Interrupt:10 Base address:0xc000
> 
> Thanks in advance. Any guidance is much appreciated.


I think you need to setup your VLAN interface within the OS so you can
monitor that VLAN. I've ran into this before and just monitoring the raw
physical device actually won't let you see the VLAN tagged packets IIRC.
Once you add the VLAN interface of say eth0.15 (if you wanted to monitor
VLAN #15) you can then also bond that interface along with whatever
other interfaces you want to monitor and point Snort to bond0. That
should get you where you need to go, even if it is a big of a kludge.

-- Eoin





More information about the Snort-users mailing list