Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Inline config won't pass DHCP

From: Glenn Fowler <gfowler1 () outlook com>
Date: Mon, 9 May 2016 10:54:12 -0400
Hi,

Using afpacket daq. Unfortunately, 2.9.8 can't be upgraded quickly or
easily but will eventually be done.

Inline mode:

ifconfig eth0 up promisc
ifconfig eth2 up promisc
procd_set_param command $PROG "-i" "eth0:eth2" "--daq-dir" "/usr/lib/daq/"
"-QND" "-c" "/etc/snort/snort_bridge.conf" "--pid-path" "/var/snort/"
"--create-pid"

In the config:

config policy_mode:inline
config daq: afpacket
config daq_dir: /usr/lib/daq/
config daq_mode: inline
config daq_var: buffer_size_mb=300


On Sun, May 8, 2016 at 9:21 PM, Al Lewis (allewi) <allewi () cisco com> wrote:


Hello,



Can you show us how you are starting snort inline? Are you using afpacket?
NFQ?



Also 2.9.7 has been EOL for some time. You may want to use 2.9.8 and see
if the problem still exists.



Thanks!



*Albert Lewis*

QA SNORT/Sourcefire

SOURCE*fire*, Inc. now part of *Cisco*

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com



*From:* Glenn Fowler [mailto:gfowler1 () outlook com]
*Sent:* Sunday, May 08, 2016 6:40 PM
*To:* snort-users () lists sourceforge net
*Subject:* [Snort-users] Inline config won't pass DHCP



Hello all,



I have been trying  figure this out for a while now. Running 2.9.7.2
inline. If my modem is power cycled, the DHCP info (discover, offer,
request, ack) will not pass through snort. No rules are fired. However, if
I connect the modem directly to the router bypassing snort until the DHCP
lease is established and then physically reconnect snort back inline,
traffic flows fine. I can even then do a DHCP release and renew with snort
inline and it works, so I know snort is passing that UDP traffic fine.



My first though was to increase the UDP timeout from the default 30,
because of the modem power-up time: preprocessor stream5_udp: timeout 180



After changing, the logs show:



Sun May  8 18:30:19 2016 daemon.notice snort[8460]:     UDP cache pruning
timeout: 30 seconds

Sun May  8 18:30:19 2016 daemon.notice snort[8460]:     UDP cache nominal
timeout: 180 seconds



I haven't found anywhere is change "UDP cache pruning timeout". Can this
be changed or am I going completely in the wrong direction?



Any help appreciated...

Glenn










------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: