Re: IPS Inline Mode

[Erdem Çulcu <erdem () boryazilim com>]

[image: Inline image 1]
We have 3-4 switches and all switches has 5 pc as average. Additional 7-8
PC connect with WLAN.

I see traffic but ı cant see TCP traffic.


On Fri, Jun 20, 2014 at 7:54 PM, Y M <snort () outlook com> wrote:

> How are the "other machines" and Snort are connected (same switch)? Is the
> interface on Snort connected to mirror port or something similar on the
> switch? Try running tcpdump and view the packets to verify if you see
> traffic from other machines. If not, then you need to configure mirroring
> port on the switch, to which the NIC on Snort box will be connected
> (promiscuous).
>
> If you get the first problem sorted out, use the guide at
> http://s3.amazonaws.com/snort-org/www/assets/229/ids2ips.txt to help you
> with the inline mode using NFQ.
>
> YM
>
> ------------------------------
> Date: Fri, 20 Jun 2014 11:51:04 +0300
> From: erdem () boryazilim com
>
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] IPS Inline Mode
>
> Hi,
>
> I am new on Snort
>
> I installed with guide and run IDS mode.
>
> I have two problems.
>
> Firstly, Snort handle only host machine packets. I write some rules
> example:
> alert tcp any any -> any any (content:"www.facebook.com";msg:"Facebook
> Accessing";sid:1000001;)
>
> This rule works only machine which installed Snort. Other machines
> accesses are not handled.
>
> Other problem is Inline Mode.
>
> I run with this command
>
> snort --daq nfq -Q -c /etc/snort/snort.conf  --daq-dir /usr/local/lib/daq
> --daq-var device=eth0 -i eth0
>
> Snort gives this error
>
> ERROR: Can't initialize DAQ nfq (-7) - The nfq DAQ module does not support
> interface or readback mode!
>
> If I remove "-i eth0", Snort works but do not handle any packets
>
> Thanks for replies
>
> Good Works
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems Open Source.
> Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for
> Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
> _______________________________________________ Snort-users mailing list
> Snort-users () lists sourceforge net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users
> <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
> list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!