Snort mailing list archives
Re: afpacket and inline mode
From: James Lay <jlay () slave-tothe-box net>
Date: Sat, 28 Jan 2017 16:23:43 -0700
Ok cool...you've got it set up right. Now...how about the config, any drop rules, and any output from the command below? On Sat, 2017-01-28 at 14:50 -0600, Michael David wrote:
It's a third physical device, rpi. Using built in eth0, eth1 via usb/rj45 adapter and wlan0 for management. On Sat, Jan 28, 2017 at 2:10 PM, James Lay <jlay () slave-tothe-box net> wrote:On Sat, 2017-01-28 at 11:47 -0600, Michael David wrote:I am trying to configure snort to run in inline mode between a cable modem and router. My config tests fine and will run. When snort is running all traffic is blocked in and outbound, but the log grows. When I terminate snort I can view and log all in and outbound traffic and Internet service returns to the LAN. I don't understand why this is happening. Shouldn't inline mode let all traffic pass and let the rules allow, block and drop? Here are some of my configurations and setup for the ports. snort -A console -c /etc/snort/snort.conf -Q -i eth0:eth1 --daq afpacket --daq-mode inline ifconfig eth0 0.0.0.0 ip link set eth0 multicast off ip link set eth0 promisc on ethtool -s eth0 speed 100 duplex full for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth0 $i off; done ifconfig eth1 0.0.0.0 ip link set eth1 multicast off ip link set eth1 promisc on ethtool -s eth1 speed 100 duplex full for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth1 $i off; done --------------------------------------------------------------- ---------------Is this a third physical device like say... *cable modem* <-> *snort device* <-> *router* or do you plan on running inline on the router itself? James ----------------------------------------------------------------- ------------- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- afpacket and inline mode Michael David (Jan 28)
- Re: afpacket and inline mode James Lay (Jan 28)
- Message not available
- Re: afpacket and inline mode James Lay (Jan 28)
- Message not available
- Re: afpacket and inline mode James Lay (Jan 28)