Snort mailing list archives

Re: Inline Installation Problem

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 20 Jan 2017 08:26:35 -0700

On 2017-01-20 08:17, Michael David wrote:

Hello,

I have setup a Raspberry Pi in inline mode.  I have placed it in
between the cable modem and router with eth0 and eth1 bridged to
bridge0, all in promiscuous mode and no IPs.  I use the built in
wireless for management.  Everything seems to function, pulledpork is
working, logs and alerts are generated. However all inbound and
outbound access is blocked when running.  Here are some of the
settings I have used.  I am confused about the daq mode and types.
Using 'snort -i bridge0 -A console' allows viewing of the traffic and
Internet access is not blocked.

#set int to promisc

ip link set eth0 multicast off
ip link set eth0 promisc on
ip link set eth1 multicast off
ip link set eth1 promisc on
ip link set bridge0 multicast off
ip link set bridge0 promisc on

#set int to bridge
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
ifconfig bridge 0 0.0.0
brctl addbr bridge0
brctl addif bridge0 eth0
brctl addif bridge0 eth1
ifconfig bridge0 up

#this is what I am using to start anort
snort -A console -c /etc/snort/snort.conf -Q -i eth0:eth1 --daq
afpacket --daq-mode inline


Snort creates it's own "bridge", so you won't be using brctl.  Ideally 
you have three interfaces, one for management, the other for in/out.  
Otherwise NFQ is your next best bet if you only have two interfaces and 
want to act as a transparent bridge.

James

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Inline Installation Problem Michael David (Jan 20)
- Re: Inline Installation Problem James Lay (Jan 20)
- Re: Inline Installation Problem Y M (Jan 20)