Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] Security Onion and a new VLan?
3 views
Skip to first unread message
Corbin Fletcher
May 30, 2012, 1:08:20 PM5/30/12
to
Hello Snort Community,
We are attempting to monitor a larger part of our total network traffic
on Vlan 66.113.xx.xx we are running Security Onion (SO) in a production
environment, using Proxmox for VM and utilizing Squil, and Snorby for
analysis. We have added the Vlan bridge in Proxmox and 66.113.xx.xx has
been added to our $HOME_NET.
SO has an IP address of 10.10.xx.xxx on eth0 (which is not ideal) and
the data collected from this Vlan is accurately reflected in Squil and
Snorby. We see events from eth0 in Squil and Snorby, but nothing for
eth1. And all data collected on eth0 is from the 10.10.xx.xxx Vlan
exclusivity.
When I run snort -i eth1 our sensor captures data from the 66.113.xx.xx
Vlan, which is correct.
Do I need to add a static IP address e.g., 66.113.xx.xx to eth1 to fix
this issue?
Is there some work I need to do in the config file?
Our sensor is not monitoring Vlan 66.113.xx.xx.
When I start Squil, I check the box eth0 and eth1, which are the network
I want to monitor. No data from eth1 is showing in Snorby and Squil.
Ifconfig eth1& eth0
eth1 Link encap:Ethernet HWaddr 96:23:88:bd:5a:6c
inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:351806305 (351.8 MB) TX bytes:2826 (2.8 KB)
Interrupt:11 Base address:0x6000
eth0 Link encap:Ethernet HWaddr 0a:60:90:b1:79:2f
inet addr:10.10.xx.xx Bcast:10.10.xx.xxx Mask:255.255.255.0
inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:881258190 (881.2 MB) TX bytes:48699421 (48.6 MB)
Interrupt:10 Base address:0xc000
Thanks in advance. Any guidance is much appreciated.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
We are attempting to monitor a larger part of our total network traffic
on Vlan 66.113.xx.xx we are running Security Onion (SO) in a production
environment, using Proxmox for VM and utilizing Squil, and Snorby for
analysis. We have added the Vlan bridge in Proxmox and 66.113.xx.xx has
been added to our $HOME_NET.
SO has an IP address of 10.10.xx.xxx on eth0 (which is not ideal) and
the data collected from this Vlan is accurately reflected in Squil and
Snorby. We see events from eth0 in Squil and Snorby, but nothing for
eth1. And all data collected on eth0 is from the 10.10.xx.xxx Vlan
exclusivity.
When I run snort -i eth1 our sensor captures data from the 66.113.xx.xx
Vlan, which is correct.
Do I need to add a static IP address e.g., 66.113.xx.xx to eth1 to fix
this issue?
Is there some work I need to do in the config file?
Our sensor is not monitoring Vlan 66.113.xx.xx.
When I start Squil, I check the box eth0 and eth1, which are the network
I want to monitor. No data from eth1 is showing in Snorby and Squil.
Ifconfig eth1& eth0
eth1 Link encap:Ethernet HWaddr 96:23:88:bd:5a:6c
inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:351806305 (351.8 MB) TX bytes:2826 (2.8 KB)
Interrupt:11 Base address:0x6000
eth0 Link encap:Ethernet HWaddr 0a:60:90:b1:79:2f
inet addr:10.10.xx.xx Bcast:10.10.xx.xxx Mask:255.255.255.0
inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:881258190 (881.2 MB) TX bytes:48699421 (48.6 MB)
Interrupt:10 Base address:0xc000
Thanks in advance. Any guidance is much appreciated.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Doug Burks
May 30, 2012, 2:20:52 PM5/30/12
to
Hi Corbin,
It sounds like you're getting packets into eth1, but there are no
processes running on that interface to sniff the traffic. When you
ran Setup, did you specify that both eth0 and eth1 should be used for
monitoring?
Since this question is specific to Security Onion, we should probably
continue this discussion on the Security Onion mailing list:
http://groups.google.com/group/security-onion
Thanks,
Doug
--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
It sounds like you're getting packets into eth1, but there are no
processes running on that interface to sniff the traffic. When you
ran Setup, did you specify that both eth0 and eth1 should be used for
monitoring?
Since this question is specific to Security Onion, we should probably
continue this discussion on the Security Onion mailing list:
http://groups.google.com/group/security-onion
Thanks,
Doug
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
Eoin Miller
May 30, 2012, 2:45:13 PM5/30/12
to
On 5/30/2012 17:08, Corbin Fletcher wrote:
> Ifconfig eth1& eth0
>
> eth1 Link encap:Ethernet HWaddr 96:23:88:bd:5a:6c
> inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
> TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:351806305 (351.8 MB) TX bytes:2826 (2.8 KB)
> Interrupt:11 Base address:0x6000
>
> eth0 Link encap:Ethernet HWaddr 0a:60:90:b1:79:2f
> inet addr:10.10.xx.xx Bcast:10.10.xx.xxx Mask:255.255.255.0
> inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
> TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:881258190 (881.2 MB) TX bytes:48699421 (48.6 MB)
> Interrupt:10 Base address:0xc000
>
> Thanks in advance. Any guidance is much appreciated.
I think you need to setup your VLAN interface within the OS so you can
> Ifconfig eth1& eth0
>
> eth1 Link encap:Ethernet HWaddr 96:23:88:bd:5a:6c
> inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
> TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:351806305 (351.8 MB) TX bytes:2826 (2.8 KB)
> Interrupt:11 Base address:0x6000
>
> eth0 Link encap:Ethernet HWaddr 0a:60:90:b1:79:2f
> inet addr:10.10.xx.xx Bcast:10.10.xx.xxx Mask:255.255.255.0
> inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
> TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:881258190 (881.2 MB) TX bytes:48699421 (48.6 MB)
> Interrupt:10 Base address:0xc000
>
> Thanks in advance. Any guidance is much appreciated.
monitor that VLAN. I've ran into this before and just monitoring the raw
physical device actually won't let you see the VLAN tagged packets IIRC.
Once you add the VLAN interface of say eth0.15 (if you wanted to monitor
VLAN #15) you can then also bond that interface along with whatever
other interfaces you want to monitor and point Snort to bond0. That
should get you where you need to go, even if it is a big of a kludge.
-- Eoin
Naresh Narang
May 30, 2012, 3:17:53 PM5/30/12
to
On 5/30/2012 17:08, Corbin Fletcher wrote:
> Ifconfig eth1& eth0
>
> eth1 Link encap:Ethernet HWaddr 96:23:88:bd:5a:6c
> inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
> TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:351806305 (351.8 MB) TX bytes:2826 (2.8 KB)
> Interrupt:11 Base address:0x6000
>
> eth0 Link encap:Ethernet HWaddr 0a:60:90:b1:79:2f
> inet addr:10.10.xx.xx Bcast:10.10.xx.xxx Mask:255.255.255.0
> inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
> TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:881258190 (881.2 MB) TX bytes:48699421 (48.6 MB)
> Interrupt:10 Base address:0xc000
>
> Thanks in advance. Any guidance is much appreciated.
I think you need to setup your VLAN interface within the OS so you can monitor that VLAN. I've ran into this before and just monitoring the raw physical device actually won't let you see the VLAN tagged packets IIRC.
Once you add the VLAN interface of say eth0.15 (if you wanted to monitor VLAN #15) you can then also bond that interface along with whatever other interfaces you want to monitor and point Snort to bond0. That should get you where you need to go, even if it is a big of a kludge.
Setting up a SPAN port on the switch in trunk mode and sending VLAN data to it will capture VLAN tags.
> Ifconfig eth1& eth0
>
> eth1 Link encap:Ethernet HWaddr 96:23:88:bd:5a:6c
> inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
> TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:351806305 (351.8 MB) TX bytes:2826 (2.8 KB)
> Interrupt:11 Base address:0x6000
>
> eth0 Link encap:Ethernet HWaddr 0a:60:90:b1:79:2f
> inet addr:10.10.xx.xx Bcast:10.10.xx.xxx Mask:255.255.255.0
> inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
> TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:881258190 (881.2 MB) TX bytes:48699421 (48.6 MB)
> Interrupt:10 Base address:0xc000
>
> Thanks in advance. Any guidance is much appreciated.
I think you need to setup your VLAN interface within the OS so you can monitor that VLAN. I've ran into this before and just monitoring the raw physical device actually won't let you see the VLAN tagged packets IIRC.
Once you add the VLAN interface of say eth0.15 (if you wanted to monitor VLAN #15) you can then also bond that interface along with whatever other interfaces you want to monitor and point Snort to bond0. That should get you where you need to go, even if it is a big of a kludge.
--Naresh
Joel Esler
May 30, 2012, 3:36:30 PM5/30/12
to
I don't mind Security Onion related conversations on the Snort lists Doug. Especially when they are about Snort ;)
J
J
>> Ifconfig eth1& eth0
>>
>> eth1 Link encap:Ethernet HWaddr 96:23:88:bd:5a:6c
>> inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:351806305 (351.8 MB) TX bytes:2826 (2.8 KB)
>> Interrupt:11 Base address:0x6000
>>
>> eth0 Link encap:Ethernet HWaddr 0a:60:90:b1:79:2f
>> inet addr:10.10.xx.xx Bcast:10.10.xx.xxx Mask:255.255.255.0
>> inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
>> TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:881258190 (881.2 MB) TX bytes:48699421 (48.6 MB)
>> Interrupt:10 Base address:0xc000
>>
>> Thanks in advance. Any guidance is much appreciated.
>>
>>
>>
>> eth1 Link encap:Ethernet HWaddr 96:23:88:bd:5a:6c
>> inet6 addr: fe80::9423:88ff:febd:5a6c/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:4395272 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:351806305 (351.8 MB) TX bytes:2826 (2.8 KB)
>> Interrupt:11 Base address:0x6000
>>
>> eth0 Link encap:Ethernet HWaddr 0a:60:90:b1:79:2f
>> inet addr:10.10.xx.xx Bcast:10.10.xx.xxx Mask:255.255.255.0
>> inet6 addr: fe80::860:90ff:feb1:792f/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:5565523 errors:0 dropped:52 overruns:0 frame:0
>> TX packets:161922 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:881258190 (881.2 MB) TX bytes:48699421 (48.6 MB)
>> Interrupt:10 Base address:0xc000
>>
>> Thanks in advance. Any guidance is much appreciated.
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort...@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort...@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
> --
> Doug Burks | http://securityonion.blogspot.com
> Don't miss SANS SEC503 Intrusion Detection In-Depth in
> Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
> http://augusta.issa.org/drupal/SANS-Augusta-2012
>
> Doug Burks | http://securityonion.blogspot.com
> Don't miss SANS SEC503 Intrusion Detection In-Depth in
> Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
> http://augusta.issa.org/drupal/SANS-Augusta-2012
>
0 new messages