[Snort-users] Snort IDS Monitoring a Proxy Server with Mode 4 Bonding

Turnbough, Bradley E. bturnbough at ...15650...
Fri Feb 28 16:16:58 EST 2014


Afternoon,

I'm having some difficulties implementing a snort solution for a proxy server that is using linux mode 4 bonding.

Proxy Server port configuration:

GigabitEthernet 0/12     YES up         up          [SLAG-120] proxy01 (eth0)
GigabitEthernet 1/12     YES up         up          [SLAG-120] proxy01 (eth1)
Port-channel 120         YES up         up          [SLAG] proxy01

interface GigabitEthernet 0/12
 description [SLAG-120] proxy01 (eth0)
 no ip address
 mtu 9252
 no shutdown

interface GigabitEthernet 1/12
 description [SLAG-120] proxy01 (eth1)
 no ip address
 mtu 9252
 no shutdown

interface Port-channel 120
 description [SLAG] prox01
 no ip address
 mtu 9252
 switchport
 channel-member GigabitEthernet 0/12
 channel-member GigabitEthernet 1/12
 no shutdown

monitor session 0
 source GigabitEthernet 0/12 destination GigabitEthernet 1/40 direction both
!
monitor session 1
 source GigabitEthernet 1/12 destination GigabitEthernet 1/39 direction both

-----------------------------------------------------------
IDS SYSTEM PORT CONFIGURATION:
-----------------------------------------------------------
GigabitEthernet 1/39     YES up         up          [SPAN] ids01 (eth5) (src:gig1 /12)
GigabitEthernet 1/40     YES up         up          [SPAN] ids01 (eth4) (src:gig0 /12)

interface GigabitEthernet 1/39
 description [SPAN] ids01 (eth5) (src:gig1 /12)
 no ip address
 no shutdown

interface GigabitEthernet 1/40
 description [SPAN] ids01 (eth4) (src:gig0 /12)
 no ip address
 no shutdown


monitor session 0
 source GigabitEthernet 0/12 destination GigabitEthernet 1/40 direction both
!
monitor session 1
 source GigabitEthernet 1/12 destination GigabitEthernet 1/39 direction both


For some reason my IDS is not keeping track of http sessions as it did when the proxy server was only one interface, so I took eth4 and eth5 on the IDS box and I bridged them to br0.  I then set up snort to monitor br0, but still no change in outcome.

Do I need to create a mode 4 bond on the ids side and sniff that?

What am I doing wrong here?  Surely I must be missing something.

Thanks,

Brad

_____________________________________________________________ This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.




More information about the Snort-users mailing list