[Snort-users] Cannot get Snort listen on a second network interface (creating a gateway)

Henry Collins hcol1987 at ...11827...
Mon Feb 23 09:09:58 EST 2015


I deleted IP address from eth1, but I still cannot see anything on my
gateway. I used -i eth1 parameter. How do I make computers that try to use
my gateway come through eth1 and reach external internet (outside the
subnet) via eth0?

My interfaces file looks like this now:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 10.165.17.66
gateway 10.165.17.1
dns-nameservers 10.165.0.10 10.165.0.11
netmask 255.255.255.0
broadcast 10.165.17.255

# The secondary network interface
auto eth1
iface eth1 inet static
dns-nameservers 10.165.0.10 10.165.0.11
netmask 255.255.255.0
broadcast 10.165.17.255

And ifconfig gives this output:

eth0      Link encap:Ethernet  HWaddr 00:0c:29:83:e8:ff
          inet addr:10.165.17.66  Bcast:10.165.17.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe83:e8ff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:695 errors:0 dropped:0 overruns:0 frame:0
          TX packets:178 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:54360 (54.3 KB)  TX bytes:28055 (28.0 KB)

eth1      Link encap:Ethernet  HWaddr 00:0c:29:83:e8:09
          inet6 addr: fe80::20c:29ff:fe83:e809/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:232 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:16781 (16.7 KB)  TX bytes:648 (648.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


> You may want to span traffic to the monitoring interface and put it into
promiscuous mode so you can see all traffic on that subnet.
How do i do that?

I have changed ip addresses in my snort.conf:
ipvar HOME_NET 10.165.17.0/24
ipvar EXTERNAL_NET !$HOME_NET

Because my subnet is 10.165.17.0 - 10.165.17.255



On Mon, Feb 23, 2015 at 1:05 PM, Al Lewis (allewi) <allewi at ...589...> wrote:

>  Hello Henry,
>
>
>
> Use “-i ” to set the monitoring interface. Some other uses with the daq
> are listed here: http://manual.snort.org/node7.html
>
>
>
> If you set an IP on that interface snort will only see the packets
> destined for that host.
>
>
>
> You may want to span traffic to the monitoring interface and put it into
> promiscuous mode so you can see all traffic on that subnet.
>
>
>
> Also… Hosts on your network wont use your gateway to access each other
> because based on your subnet mask/network number they are all in the
> *same* subnet. Once they ARP for the destination they will send the
> packets directly to the end point and not your machine. Hosts will only use
> a default gateway to get to networks they don’t know about (not within
> their current subnet).
>
>
>
>
>
> Hope this helps.
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...589...
>
>
>
> *From:* Henry Collins [mailto:hcol1987 at ...11827...]
> *Sent:* Monday, February 23, 2015 5:41 AM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] Cannot get Snort listen on a second network
> interface (creating a gateway)
>
>
>
> I have a small subnet that consists of several computers. I want these
> computers to configure in such a way that they would use my gateway to
> access each other and the external internet.
>
>
>
> There is already a gateway working in the subnet, but it doesn't have
> Snort installed. It's ip is 10.165.17.1
>
>
>
> I am working on creating another gateway that would use the upper gateway
> to serve computers in the subnet, but this gateway would receive packets
> from computers in the subnet. In this way, I want to instruct Snort to
> listen on for example eth1, which would be used for computers in the subnet
> and eth0 for communication with the subnet's gateway (10.165.17.1). How is
> it done?
>
>
>
> Here is a short overview of my network:
>
>
>
> Gateways:
>
> 10.165.17.1 (has access to external internet and computers in the subnet)
>
> 10.165.17.70 (is used by computers in the subnet as gateway and uses
> 10.165.17.1 as its gateway)
>
>
>
> Computers:
>
> 10.165.17.60 (gateway: 10.165.17.70)
>
> 10.165.17.61 (gateway: 10.165.17.70)
>
> and so on...
>
>
>
> This is my /etc/network/interfaces so far. However, eth1 doesn't get an
> IP. How do I fix this? I want to make Snort listen on eth1:
>
>
>
> # This file describes the network interfaces available on your system
>
> # and how to activate them. For more information, see interfaces(5).
>
>
>
> # The loopback network interface
>
> auto lo
>
> iface lo inet loopback
>
>
>
> # The primary network interface
>
> auto eth0
>
> iface eth0 inet static
>
> address 10.165.17.66
>
> gateway 10.165.17.1
>
> dns-nameservers 10.165.0.10 10.165.0.11
>
> netmask 255.255.255.0
>
> broadcast 10.165.17.255
>
>
>
> # The secondary network interface
>
> auto eth1
>
> iface eth1 inet static
>
> address 10.165.17.70
>
> gateway 10.165.17.1
>
> dns-nameservers 10.165.0.10 10.165.0.11
>
> netmask 255.255.255.0
>
> broadcast 10.165.17.255
>
>
>
> This is output from ifconfig:
>
>
>
> eth0      Link encap:Ethernet  HWaddr 00:0c:29:83:e8:ff
>
>           inet addr:10.165.17.66  Bcast:10.165.17.255  Mask:255.255.255.0
>
>           inet6 addr: fe80::20c:29ff:fe83:e8ff/64 Scope:Link
>
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>
>           RX packets:137 errors:0 dropped:21 overruns:0 frame:0
>
>           TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
>
>           collisions:0 txqueuelen:1000
>
>           RX bytes:16987 (16.9 KB)  TX bytes:928 (928.0 B)
>
>
>
> eth1      Link encap:Ethernet  HWaddr 00:0c:29:83:e8:09
>
>           inet6 addr: fe80::20c:29ff:fe83:e809/64 Scope:Link
>
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>
>           RX packets:92 errors:0 dropped:11 overruns:0 frame:0
>
>           TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
>
>           collisions:0 txqueuelen:1000
>
>           RX bytes:9675 (9.6 KB)  TX bytes:648 (648.0 B)
>
>
>
> lo        Link encap:Local Loopback
>
>           inet addr:127.0.0.1  Mask:255.0.0.0
>
>           inet6 addr: ::1/128 Scope:Host
>
>           UP LOOPBACK RUNNING  MTU:65536  Metric:1
>
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>
>           collisions:0 txqueuelen:0
>
>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150223/b63bd647/attachment.html>


More information about the Snort-users mailing list