[Snort-users] Security Onion and a new VLan?

Joel Esler jesler at ...1935...
Wed May 30 15:36:30 EDT 2012


I don't mind Security Onion related conversations on the Snort lists Doug.  Especially when they are about Snort ;)

J

On May 30, 2012, at 2:20 PM, Doug Burks wrote:

> Hi Corbin,
> 
> It sounds like you're getting packets into eth1, but there are no
> processes running on that interface to sniff the traffic.  When you
> ran Setup, did you specify that both eth0 and eth1 should be used for
> monitoring?
> 
> Since this question is specific to Security Onion, we should probably
> continue this discussion on the Security Onion mailing list:
> http://groups.google.com/group/security-onion
> 
> Thanks,
> Doug
> 
> On Wed, May 30, 2012 at 1:08 PM, Corbin Fletcher <corbin at ...15596...> wrote:
>> Hello Snort Community,
>> 
>> We are attempting to monitor a larger part of our total network traffic
>> on Vlan 66.113.xx.xx we are running Security Onion (SO) in a production
>> environment, using Proxmox for VM and utilizing  Squil, and Snorby for
>> analysis. We have added the Vlan bridge in Proxmox and 66.113.xx.xx has
>> been added to our $HOME_NET.
>> 
>> SO has an IP address of 10.10.xx.xxx on eth0 (which is not ideal) and
>> the data collected from this Vlan is accurately reflected in Squil and
>> Snorby. We see events from eth0 in Squil and Snorby, but nothing for
>> eth1. And all data collected on eth0 is from the 10.10.xx.xxx Vlan
>> exclusivity.
>> 
>> When I run snort -i eth1 our sensor captures data from the 66.113.xx.xx
>> Vlan, which is correct.
>> 
>> Do I need to add a static IP address e.g., 66.113.xx.xx to eth1 to fix
>> this issue?
>> 
>> Is there some work I need to do in the config file?
>> 
>> Our sensor is not monitoring Vlan 66.113.xx.xx.
>> 
>> When I start Squil, I check the box eth0 and eth1, which are the network
>> I want to monitor. No data from eth1 is showing in Snorby and Squil.
>> 
>> Ifconfig eth1& eth0
>> 
>> eth1   Link encap:Ethernet  HWaddr 96:23:88:bd:5a:6c
>>           inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:1000
>>           RX bytes:351806305 (351.8 MB)  TX bytes:2826 (2.8 KB)
>>           Interrupt:11 Base address:0x6000
>> 
>> eth0   Link encap:Ethernet  HWaddr 0a:60:90:b1:79:2f
>>           inet addr:10.10.xx.xx  Bcast:10.10.xx.xxx  Mask:255.255.255.0
>>           inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
>>           TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:1000
>>           RX bytes:881258190 (881.2 MB)  TX bytes:48699421 (48.6 MB)
>>           Interrupt:10 Base address:0xc000
>> 
>> Thanks in advance. Any guidance is much appreciated.
>> 
>> 
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> 
> -- 
> Doug Burks | http://securityonion.blogspot.com
> Don't miss SANS SEC503 Intrusion Detection In-Depth in
> Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
> http://augusta.issa.org/drupal/SANS-Augusta-2012
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list