Re: snort inline mode in CentOS 6.6

[James Lay <jlay () slave-tothe-box net>]

On Sat, 2015-05-02 at 12:46 +0200, Abdallah Jabbour wrote:
> Hello , 
>
>
>
> i have installed snort on CentOS6.6 in a KVM Guest machine , it a
> router/ firewall using iptables , i followed the installation and
> configuration steps and tested the configuration file validity ( using
> -T command line arg ) 
>
>
>
> i enabled inline mode :
>
>
> in configuration file : i added and uncommented the following lines : 
>
>  config policy_mode:inline 
>
>  config daq: afpacket
>  config daq_dir: /usr/lib64/daq/
>  config daq_mode: inline
>  config daq_var: buffer_size_mb=128
>
>
> and also in /etc/sysconfig/snort 
>
>
> INTERFACE=eth0:eth1
>
>
> and start the snort service 
>
>
> the network connection ( locally and to the internet ) is dropped i
> cannot ping any host on the network . 
>
>
> i added some rules to /etc/snort/rules/local.rules 
>
> to see if alerting is working , i can see alerts being written
> to /var/log/snort/alert after i reboot the machine ( since there is no
> network connectivity ) .
>
>
> i know that inline mode will put the network interfaces eth0 and eth1
> in promiscuous mode and will bridge the network connection to get the
> network traffic . is there anything i am missing my setup  ? 
>
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


To eth0 and eth1 have IP addresses assigned? 

James

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!