Hi there,
first time poster here, nice to meet you all.
We are trying to run Snort as an NIDS in a Container on our Proxmox. We have dedicated NICs on our server for each container (theoretically) and a Cisco 3750-Series Switch that is connected to a different Switch (which we can't manage) that provides our VLAN.
We tested a Port-Mirror with the Cisco-Switch to "Eno4" and a TC-Filter from the Hostmachine to "Eno4"
Our Proxmox is configured like this:
vmbr0 (Linux-Bride) - IP of our Proxmox-Host, Bridge to Port "Eno1", Eno1 is connected to f0/1 on our Cisco-Switch.
vmbr1 (OVS-Bridge) - No IP-Adress, OVS-Slave-Port is "Eno2", Eno is connected to f0/2 on our Cisco-Switch. The Bridge is connected to an Web- and a Mailserver.
vmbr2 (OVS-Bridge) - No IP-Adress, OVS-Slave-Port is "Eno3", Eno is connected to f0/3 on our Cisco-Switch. The Bridge was connected to our Webserver, but we moved it to "vmbr1" to test a Dual-Interface-Configuration on our Snort.
vmbr3 (OVS-Bridge) - No IP-Adress, OVS-Slave-Port is "Eno4", Eno is connected to f0/4 on our Cisco-Switch. The Bridge is connected to Snort.
What we've tried to far:
When there are two bridges connected to Snort, and both get an IP-Address, we lose access to the rest of the network.
When there are two bridges connected to Snort, and "Eno4" (the receipient of the mirror) gets an IP-Address and "Eno3" doesn't, we lose access to the rest of the network.
When there are two bridges connected to Snort, and "Eno3" gets an IP-Address and "Eno4" doesn't we have access to the rest of the network. If we scan the Network with snort (even in sniffer mode) on "Eno4" we receive no pakages. If we scan on "Eno3", it works but only for the traffic directed to snort.
When we use one interface that also the receipient of the mirror, we lose access as well.
So to sum up: We have two NICs and a Cisco 3750 Switch available and would like to configure a Ubuntu 18.04-Container running snort, to inspect all traffic sent to it over a port mirror.
If I left some important configurations out, just tell me!
Any help would be appreciated!
first time poster here, nice to meet you all.
We are trying to run Snort as an NIDS in a Container on our Proxmox. We have dedicated NICs on our server for each container (theoretically) and a Cisco 3750-Series Switch that is connected to a different Switch (which we can't manage) that provides our VLAN.
We tested a Port-Mirror with the Cisco-Switch to "Eno4" and a TC-Filter from the Hostmachine to "Eno4"
Our Proxmox is configured like this:
vmbr0 (Linux-Bride) - IP of our Proxmox-Host, Bridge to Port "Eno1", Eno1 is connected to f0/1 on our Cisco-Switch.
vmbr1 (OVS-Bridge) - No IP-Adress, OVS-Slave-Port is "Eno2", Eno is connected to f0/2 on our Cisco-Switch. The Bridge is connected to an Web- and a Mailserver.
vmbr2 (OVS-Bridge) - No IP-Adress, OVS-Slave-Port is "Eno3", Eno is connected to f0/3 on our Cisco-Switch. The Bridge was connected to our Webserver, but we moved it to "vmbr1" to test a Dual-Interface-Configuration on our Snort.
vmbr3 (OVS-Bridge) - No IP-Adress, OVS-Slave-Port is "Eno4", Eno is connected to f0/4 on our Cisco-Switch. The Bridge is connected to Snort.
What we've tried to far:
When there are two bridges connected to Snort, and both get an IP-Address, we lose access to the rest of the network.
When there are two bridges connected to Snort, and "Eno4" (the receipient of the mirror) gets an IP-Address and "Eno3" doesn't, we lose access to the rest of the network.
When there are two bridges connected to Snort, and "Eno3" gets an IP-Address and "Eno4" doesn't we have access to the rest of the network. If we scan the Network with snort (even in sniffer mode) on "Eno4" we receive no pakages. If we scan on "Eno3", it works but only for the traffic directed to snort.
When we use one interface that also the receipient of the mirror, we lose access as well.
So to sum up: We have two NICs and a Cisco 3750 Switch available and would like to configure a Ubuntu 18.04-Container running snort, to inspect all traffic sent to it over a port mirror.
If I left some important configurations out, just tell me!
Any help would be appreciated!
