Can a Promiscuous mode Sensing Interface be configured with an IP address?

[plaotec]

Can a Promiscuous mode Sensing Interface be configured with an IP address for monitoring devices to connect to Security Onion? Or does all communications must be via the Security Onion Management Interface?

Thanks

[plaotec]

S.O ver 2.3.240

[TotieBash]

The short answer is "No". Typically the monitor port is wired using network taps for optimum configuration. When using passive network taps the interface that feeds the SO monitor interfaces are receive only and you have to break the laws of physic to make it send traffic through the tap monitor interface. This is the same behavior even if you are using a switch instead of network taps like a Cisco switch to mirror a copy of traffic to SO. For example, once you configure "monitor session 1 destination G0/10" command the Cisco device does not allow you to send traffic from interface G0/10.

[InfosecGoon]

A monitoring interface cannot be assigned an IP address (in an on-premises installation, cloud stuff is a bit different) - as TotieBash says above, that's a passive interface used only to receive traffic.

That said, if you have an additional network interface on a box that you're not using as the Management or Monitoring interface, it can be assigned an IP address and used to ingest logs from other endpoints. We see this sometimes in network architectures where the Manager needs to straddle multiple subnets into order to talk to all the minions or log sources.

[plaotec]

Thanks!

[plaotec]

One more question please... i have two monitor interfaces...is it normal that both monitoring interfaces will have the same MAC address? Thanks