Re: Snort with AFPacket

[Sec Aficionado <secaficionado () gmail com>]

Great, thank you for the explanation. NFQ was indeed my next step after
trying AFPacket. AFPacket was easier to build, but I did not realize it
might have serious side effects.

> From the high level description of NFQ, it still works with iptables, but
in a more efficient manner?

On Mon, Nov 3, 2014 at 8:17 PM, James Lay <jlay () slave-tothe-box net> wrote:

>  On Mon, 2014-11-03 at 19:16 -0500, Sec_Aficionado wrote:
>
> I'm not sure this is what you mean, please let me know if you need more info:
> The box is acting as a firewall between two subnets.
>
> eth1 is connected to a LAN with IP addresses 192.68.70.100-200/255.255.255.0 with an address of 192.168.70.179
>
> eth0 is acting as a the DHCP server for 192.168.0.100-200/255.255.255.0 and has an address of 192.168.0.1
>
> Before snort runs, this works OK and the two subnets are separate from each other. When snort is running, though, the 
> box becomes transparent and devices in both subnets can see each other. I did not expect that, but it is an effect of 
> the bridging.
>
> Everything returns to normal when I stop snort.
> > On Nov 3, 2014, at 5:37 PM, James Lay <jlay () slave-tothe-box net> wrote:> >> On 2014-11-03 15:24, Sec Aficionado 
> > wrote:>> Hi there,>> >> Im following the steps outlined in the guide "Snort IPS using DAQ>> AFPacket". I compiled 
> > snort with all the requirements and I am using>> pulledpork for the rules.>> >> When I start snort with>> snort -c 
> > <conf path>/snort.conf -i eth1:eth0 -Q>> I do get the alerts and snort stops some traffic as expected. >> 
> > However,>> other functions running in that box are bypassed. The machine running>> snort has a DHCP server, but 
> > when snort is running the DHCP server is>> bypassed, so machines connected down the line get addresses from the>> 
> > next DHCP server higher up in the hierarchy.>> >> I want to confirm that this is the expected behavior. I did not 
> > > > expect>> the other functions to be bypassed, although in retrospective it >> makes>> some sense.>> >> Is there 
> > some documentation, in addition to the manual, about this>> behavior?>> >> Thanks!> > How are the above NIC's 
> > configured?>
>
>
> Indeed that is afpacket is supposed to function.  Ideally you're on a
> machine with three NIC's..one for management, and the other two acting as a
> bridge.  Look at NFQ if you're going to be running this on a firewall
> device.
>
> James
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!