03-25-2017 02:59 AM - edited 03-10-2019 06:48 AM
Hi All,
I have a below doubt on my setup. I am not sure whether setup i have built is as per IDS standards or not but SNORT IDS is not capturing traffic. I want to be sure from switch end i have mapped the needs of IDS. Below is the setup i have built.
Step1:
Built EIGRP between router & switch over checkpoint transparent firewall. Neighourship/Routes are received as expected.
Router4431---Gi0/0/1Routed Port(IP- 10.10.10.10/29)---------(L2 Bridge)Checkpoint(L2Bridge)---------Gig 0/0/1Routed Port(10.10.10.9/29)3850.
Step2:
Created Snort on VM Dell Server on Shared NIC(VSwitch Group2) with IP 10.10.5.19. NIC is connected to 3850 L2 port Gi0/0/2. This IP is reachable from network working as expected. Other VMs are also reachable under this Vswitch Group. Snort Service on VM is active & running.
Step3:
Need is to monitor the traffic on Inside interface on 3850switch ie Gi0/0/1 which is routed to capture traffic which is received & transfered over this inside port.
I have used a port on Dell Server on separate NIC which is placed under dedicated for Snort mirror port Vswitch Group3 connected to 3850 L2 port Gi0/0/3. IP not assigned to this port. Switch port configuration for mirroring is as below.
!
interface gi0/0/1---Connected to Dell Server Shared Vswitch NIC 2 for all VMS
no shut
no switchport
ip add 10.10.10.9 255.255.255.248
!
interface gi0/0/1---Connected to Dell Server Shared Vswitch NIC 2 for all VMS
no shut
switchport access vlan 2201--VLAN for VM Servers including SNORT
!
interface gi0/0/3---Connected to Dell Server dedicated Vswitch NIC 3 for Snort Mirroring
no shut
switchport mode access
!
monitor session 2 source interface Gi0/0/1 both
monitor session 2 destination interface Gi0/0/3.
!
Is above setup is correct? I am not getting logs in snort, i think i am missing something. Please highlight your thoughts on this, can we monitor routed port as a source & Mirror port on Snort side will work without IP?
Regards,
Vishal
03-29-2017 01:16 AM
Did you enable "Promiscuous Mode" on your vSwitch?
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004099
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide