Monitor Multiple VLANS With SO

[gerry]

I currently connect my SO monitor interface to a span port on my Netgate firewall. On the firewall I setup the span port with a bridge to one of my VLANs. Unfortunately, with this setup, I can only monitor one VLAN at a time. Note, I erroneously bridged all VLANS to the single span port the other day and crashed my network - a good learning experience!

I would like to try and monitor all VLANS with SO. Here is my question, if I configure one of the ports on my managed switch to output all of my VLANS(tagged) and connect this port to my SO monitor port, will SO monitor all of the VLANS?

Thanks in advance for your help.

Gerry

[Doug Burks]

Hi gerry,

In theory, this *should* work fine as long as *all* traffic is tagged
with the proper VLANs in *both* directions. Some folks have
encountered situations where only one side of the traffic (rx or tx,
but not both) had VLAN tags and this can cause issues with
Snort/Suricata/Bro.

If you try it out, please report back with your results.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[gerry]

Hello Doug,

Thanks for the response.

I tried the configuration and had limited success. Using Wireshark, I see limited traffic (ARP, IGMP, MDNS) across all of the VLANs. However, when I establish a connection with the speedtest.net service, I do not see any of that traffic. In retrospect, since I am feeding the SO monitor port from an output port of my managed switch, I should not see all of the traffic across any one VLAN by design. This sounded like a good idea at the time but was not well thought out.

I think the solution is to simplify my home network. I intentionally made it more complex than necessary to learn about managed switches and VLANs.

Thanks for your help.

Gerry

[Jeff H]

Hi Gerry,

Depending on the capabilities of your switch you may be able to accomplish what you're after. Did you configure the port that was feeding Security Onion's monitor interface as a SPAN port or mirror port?

For instance if you're interested in monitoring traffic to/from the internet you could configure your switch to mirror the traffic on the port connected to your router and connect that to Security Onion's monitor interface.

Jeff

[gerry]

Hello Jeff,

Thanks for your suggestion. I looked at my switch manual and found that I could mirror the port from my firewall that has the multiple VLANs. From a couple of tests that I have run tonight, I think it might be working!

Thanks again!

Gerry

[Doug Burks]

If you haven't already, you may want to check and make sure the
following are set properly to see all of your VLAN tagged traffic:
- MTU of sniffing interface
- snaplen of Snort/Suricata
- PF_RING Bucket Len

For more information, please see:
https://groups.google.com/d/topic/security-onion/1sDHn0AwDXc/discussion

> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---

[gerry]

Hello Doug,
How do I display the Snort/Suricata snaplen and PF_RING Bucket Len?
Thanks,
Gerry

[Wes]

Gerry,

Try taking a look in:

#Suricata
/etc/nsm/HOSTNAME-INTERFACE/suricata.yaml

#Snort
/etc/nsm/HOSTNAME-INTERFACE/snort.conf

#PF_RING
/proc/net/pfring/

Thanks,
Wes

[Doug Burks]

Also see:
https://groups.google.com/d/topic/security-onion/94s7beFDMU0/discussion

[gerry]

Wes/Doug,
Thanks for the information. I have adjusted snaplen and interface MTU and will monitor to see if it makes a difference.
Gerry