This one was tricky. If you want SNORT to run as a guest, getting the port mirrored traffic to it wasn’t exactly trivial.
My Host Setup:
NIC 1: Handles all bridges and VLANs
NIC2: Dedicated to SNORT, plugged directly into mirrored port on switch.
Before we start, make sure your SNORT guest is off and the bridge interface that you want to use for packet sniffing is down. Getting the packets to flow properly requires a very specific sequence and failure to do that will only result in frustration and confusion.
First Step (on KVM Host):
Edit /etc/network/interfaces to reflect for NIC2 (eth3 in my case):
auto eth3 iface eth3 inet manual #SNORT Interface auto br3 iface br3 inet manual bridge_ports eth3 bridge_stp off
Bring up br3
I’ll need to test it, but you may ensure the host doesn’t get an address on that interface by adding in a line: address 0.0.0.0
Now, the tricky part is to get the traffic to show in the guest. On the host, just to make sure your port mirroring is working properly, do:
sudo tcpdump -i br3
You should see a ton of traffic if configured properly.
Now, to get the traffic not destined for the host to go to the guest (SNORT), type in:
brctl setageing br3 0 brctl setfd br3 0
Now, if you boot up your guest (it should have two interfaces), you should be able to tcpdump -i eth# and it will show the same large amount of traffic. The above is manual and will not persist across reboots.
To make it persistent in Ubuntu (replace br3 with your bridge interface name):
cd /etc/network/if-up.d touch br3-mirror chmod +x br3-mirror nano br3-mirror #!/bin/bash if [ "$IFACE" = br3 ]; then brctl setageing br3 0 brctl setfd br3 0 fi