[Snort-users] Snort IDS Monitoring a Proxy Server with Mode 4 Bonding

James Lay jlay at ...13475...
Fri Feb 28 16:44:12 EST 2014


On 2014-02-28 14:16, Turnbough, Bradley E. wrote:
> Afternoon,
>
> I'm having some difficulties implementing a snort solution for a
> proxy server that is using linux mode 4 bonding.
>
> Proxy Server port configuration:
>
> GigabitEthernet 0/12     YES up         up          [SLAG-120] 
> proxy01 (eth0)
> GigabitEthernet 1/12     YES up         up          [SLAG-120] 
> proxy01 (eth1)
> Port-channel 120         YES up         up          [SLAG] proxy01
>
> interface GigabitEthernet 0/12
>  description [SLAG-120] proxy01 (eth0)
>  no ip address
>  mtu 9252
>  no shutdown
>
> interface GigabitEthernet 1/12
>  description [SLAG-120] proxy01 (eth1)
>  no ip address
>  mtu 9252
>  no shutdown
>
> interface Port-channel 120
>  description [SLAG] prox01
>  no ip address
>  mtu 9252
>  switchport
>  channel-member GigabitEthernet 0/12
>  channel-member GigabitEthernet 1/12
>  no shutdown
>
> monitor session 0
>  source GigabitEthernet 0/12 destination GigabitEthernet 1/40 
> direction both
> !
> monitor session 1
>  source GigabitEthernet 1/12 destination GigabitEthernet 1/39 
> direction both
>
> -----------------------------------------------------------
> IDS SYSTEM PORT CONFIGURATION:
> -----------------------------------------------------------
> GigabitEthernet 1/39     YES up         up          [SPAN] ids01
> (eth5) (src:gig1 /12)
> GigabitEthernet 1/40     YES up         up          [SPAN] ids01
> (eth4) (src:gig0 /12)
>
> interface GigabitEthernet 1/39
>  description [SPAN] ids01 (eth5) (src:gig1 /12)
>  no ip address
>  no shutdown
>
> interface GigabitEthernet 1/40
>  description [SPAN] ids01 (eth4) (src:gig0 /12)
>  no ip address
>  no shutdown
>
>
> monitor session 0
>  source GigabitEthernet 0/12 destination GigabitEthernet 1/40 
> direction both
> !
> monitor session 1
>  source GigabitEthernet 1/12 destination GigabitEthernet 1/39 
> direction both
>
>
> For some reason my IDS is not keeping track of http sessions as it
> did when the proxy server was only one interface, so I took eth4 and
> eth5 on the IDS box and I bridged them to br0.  I then set up snort 
> to
> monitor br0, but still no change in outcome.
>
> Do I need to create a mode 4 bond on the ids side and sniff that?
>
> What am I doing wrong here?  Surely I must be missing something.
>
> Thanks,
>
> Brad

daq may save the day:

snort -D --daq afpacket --daq-mode passive -i eth0:eth1

James





More information about the Snort-users mailing list