• Support
  • Forums
  • Blogs

Recognizing the TAP / Mirror port in an Alienvault VM

ktneelyktneely

Entry Level
+1
I am trying to get my Alienvault sensor to recognize a second interface which is connected to a tap port.

My setup:
Physical Hardware / Host system
- eth0 on the LAN
- eth1 connected to a TAP betwween the switch and egress firewall
- VirtualBox

AlienVault sensor
- VirtualBox gues
- Adapter1 is a bridged adapter attached to eth0
- Adapter2 is a bridged adapter attached to eth1

The problem is that my AV installation does not recognize eth1. The OS sees eth1 on boot; dmesg prints it as and Intel PRO/1000 with connection. I cannot figure out how to make the system see the new interface. When I enter the configuration menus and choose "Setup Network Interface", I do have the option for eth1, however, it states that the interface is down. On the host system, a tcpdump -i eth1 shows that it is seeing traffic.

What should I try to fix this?

Share post:

Answers

  • have you tried "ifconfig eth1 up". I usually add something to /etc/network/interfaces like this for my span port:
    auto eth1
    iface eth1 inet manual
    up ifconfig eth1 0.0.0.0 promisc -arp
  • I thought about doing that (basically, that is the config of the host system's interfaces file), but I thought there might be an "Alienvault-approved" method to getting this working properly.

    Thanks for the suggestion!
This discussion has been closed.